CN110099027A - Transmission method and device, storage medium, the electronic device of service message - Google Patents

Transmission method and device, storage medium, the electronic device of service message Download PDF

Info

Publication number
CN110099027A
CN110099027A CN201810085054.0A CN201810085054A CN110099027A CN 110099027 A CN110099027 A CN 110099027A CN 201810085054 A CN201810085054 A CN 201810085054A CN 110099027 A CN110099027 A CN 110099027A
Authority
CN
China
Prior art keywords
service message
field
message
group field
watermark
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810085054.0A
Other languages
Chinese (zh)
Other versions
CN110099027B (en
Inventor
陈国�
罗喜军
张浩浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201810085054.0A priority Critical patent/CN110099027B/en
Publication of CN110099027A publication Critical patent/CN110099027A/en
Application granted granted Critical
Publication of CN110099027B publication Critical patent/CN110099027B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of transmission methods of service message and device, storage medium, electronic device.Wherein, this method comprises: obtaining the first service message that the first object is sent to the second object, wherein the first service message includes watermark feature code and message load;The second group field in watermark feature code is matched by the first group field in watermark feature code, obtains matching result;In the case where matching result indicates that the second group field is successfully matched to, the first service message is forwarded to the second object.The present invention solves the lower technical problem of safety of network service in the related technology.

Description

Transmission method and device, storage medium, the electronic device of service message
Technical field
The present invention relates to internet areas, and the transmission method and device, storage in particular to a kind of service message are situated between Matter, electronic device.
Background technique
Distributed denial of service DDoS is the abbreviation of Distributed Denial of Service, it refers to by one The fixed technological means with distributed nature, such as using protocol bug, progress concentrated type data packet transmission etc., make destination host Refuse to provide service to normal users or destination host and extraneous communication is made abnormal a kind of network attack occur.DDoS is attacked It hits many kinds of, is broadly divided into " network layer (being also flow type) attack " and " application layer attack " two major classes according to attack level; TCP ddos attack, UDP ddos attack, ICMP ddos attack etc. are broadly divided by protocol classification.
Hacker can be controlled more machines using ddos attack device while attack the server of the service of offer, " be interfered to reach The purpose of normal use person's use service ".Ddos attack is always enterprise's peace as common one of high harmfulness security threat The mind great trouble of whole doors, according to authoritative statistics, ddos attack number increases by 17% on a year-on-year basis in recent years, attacks in actual DDoS During hitting, attack traffic 10Gbps easily is equivalent to the fiber bandwidth of 100 100M, is united safely according to Chinese telecommunications network Count display, in recent years since, flow velocity is more than the attack of 10Gbps monthly more than 45000 times, and the attack more than 40Gbps is monthly 1628 times.Currently, having mischief, harmful competition by the main reason for ddos attack, blackmailing and other reasons.DDoS is attacked Hitting is to influence enterprise network to operate normally most common mode, attack bring maximum harm be the service that is provided by server not It is reachable and lead to loss of traffic, and endanger bring and influence all disappear in a very long time after the attack has ended, So that enterprise and tissue loss are heavy.
The lower technical problem of safety for the above-mentioned service of network in the related technology not yet proposes effective solution at present Certainly scheme.
Summary of the invention
The embodiment of the invention provides a kind of transmission methods of service message and device, storage medium, electronic device, so that The lower technical problem of few safety for solving network service in the related technology.
According to an aspect of an embodiment of the present invention, a kind of transmission method of service message is provided, comprising: obtain first The first service message that object is sent to the second object, wherein the first service message includes watermark feature code and message load;It is logical The first group field crossed in watermark feature code matches the second group field in watermark feature code, obtains matching result;? In the case that matching result indicates that the second group field is successfully matched to, the first service message is forwarded to the second object.
According to an aspect of an embodiment of the present invention, a kind of transmission method of service message is provided, comprising: by watermark spy Sign code and message load are filled to the first service message to be sent, wherein the first group field of watermark feature code is used to indicate Second group field of the watermark feature code to match;First service message is sent to the second object.
According to another aspect of an embodiment of the present invention, a kind of transmitting device of service message is additionally provided, comprising: obtain single Member, the first service message sent for obtaining the first object to the second object, wherein the first service message includes watermark feature Code and message load;Matching unit, for passing through the first group field in watermark feature code to second group in watermark feature code Field is matched, and matching result is obtained;It forwards in the case where matching result indicates that the second group field is successfully matched to, First service message is forwarded to the second object.
According to another aspect of an embodiment of the present invention, a kind of transmitting device of service message is additionally provided, comprising: filling is single Member, for filling watermark feature code and message load to the first service message to be sent, wherein the first of watermark feature code Group field is used to indicate the second group field of the watermark feature code to match;Transmission unit, for sending the first service message To the second object.
According to another aspect of an embodiment of the present invention, a kind of storage medium is additionally provided, which includes storage Program, program execute above-mentioned method when running.
According to another aspect of an embodiment of the present invention, it additionally provides a kind of electronic device, including memory, processor and deposits The computer program that can be run on a memory and on a processor is stored up, processor executes above-mentioned side by computer program Method.
In embodiments of the present invention, the first service message that the first object is sent to the second object, the first business report are obtained Text includes watermark feature code and message load;By the first group field in watermark feature code to second group in watermark feature code Field is matched, and matching result is obtained;In the case where matching result indicates that the second group field is successfully matched to, by One service message is forwarded to the second object, will in the case where matching result indicates that the second group field is not successfully matched to First service message abandons namely attack message can be filtered by matching operation, influences service without reaching server The network service that device provides, can solve the lower technical problem of the safety of network service in the related technology, and then reach and mention The technical effect of the safety of high network server.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is a kind of flow chart of optional prevention policies according to an embodiment of the present invention;
Fig. 2 is a kind of flow chart of optional prevention policies according to an embodiment of the present invention;
Fig. 3 is a kind of flow chart of optional prevention policies according to an embodiment of the present invention;
Fig. 4 is a kind of flow chart of optional prevention policies according to an embodiment of the present invention;
Fig. 5 is the flow chart of the optional attack server of one of the relevant technologies;
Fig. 6 is the flow chart of the optional attack server of one of the relevant technologies;
Fig. 7 is the schematic diagram of the hardware environment of the transmission method of service message according to an embodiment of the present invention;
Fig. 8 is a kind of flow chart of the transmission method of optional service message according to an embodiment of the present invention;
Fig. 9 is a kind of schematic diagram of optional service message according to an embodiment of the present invention;
Figure 10 is a kind of schematic diagram of optional service message according to an embodiment of the present invention;
Figure 11 is the flow chart of the transmission method of optional service message according to an embodiment of the present invention;
Figure 12 is the flow chart of the transmission method of optional service message according to an embodiment of the present invention;
Figure 13 is the flow chart of the transmission method of optional service message according to an embodiment of the present invention;
Figure 14 is the flow chart of the transmission method of optional service message according to an embodiment of the present invention;
Figure 15 is the flow chart of the transmission method of optional service message according to an embodiment of the present invention;
Figure 16 is the flow chart of the transmission method of optional service message according to an embodiment of the present invention;
Figure 17 is a kind of schematic diagram of optional increasing trend according to an embodiment of the present invention;
Figure 18 is a kind of schematic diagram of optional regression curve according to an embodiment of the present invention;
Figure 19 is the schematic diagram of the transmitting device of optional service message according to an embodiment of the present invention;
Figure 20 is the schematic diagram of the transmitting device of optional service message according to an embodiment of the present invention;
And
Figure 21 is a kind of structural block diagram of terminal according to an embodiment of the present invention.
Specific embodiment
In order to enable those skilled in the art to better understand the solution of the present invention, below in conjunction in the embodiment of the present invention Attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is only The embodiment of a part of the invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people The model that the present invention protects all should belong in member's every other embodiment obtained without making creative work It encloses.
It should be noted that description and claims of this specification and term " first " in above-mentioned attached drawing, " Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way Data be interchangeable under appropriate circumstances, so as to the embodiment of the present invention described herein can in addition to illustrating herein or Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover Cover it is non-exclusive include, for example, the process, method, system, product or equipment for containing a series of steps or units are not necessarily limited to Step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, product Or other step or units that equipment is intrinsic.
Firstly, the part noun or term that occur during the embodiment of the present invention is described are suitable for as follows It explains:
Broiler chicken: also referred to as puppet's machine refers to the machine that can be remotely controlled by hacker, for example induces client with " grey pigeon " etc. It clicks or computer is broken through by hacker or user computer is leaky has been planted wooden horse, hacker can arbitrarily manipulate it and utilize it Anything is done, broiler chicken is often used as ddos attack.It can be various systems, such as windows, linux, unix, more may be used To be the server of a company, enterprise, school.
IP: the protocol IP interconnected between network is the foreign language abbreviation of Internet Protocol.
UDP Flood: belonging to flow type ddos attack, impacts dns server using a large amount of UDP parcels or Radius is authenticated Server, streaming media video server.The UDP Flood of 100k bps often beats such as firewall of the backbone equipment on route Paralysis causes the paralysis of entire network segment.
The payload payload of data frame: refer to the data for removing actual transmissions except protocol header, agreement feature.
With the upgrading of DDoS Attack Defence technology, the attacking ways of more and more ddos attacks become more " advanced ", In order to bypass the prevention policies of tradition DDoS safeguard, attacker is by broiler chicken using true source IP to by attack server Normal TCP connection is initiated, sends a large amount of rubbish messages after establishing TCP connection, such as pshack, ack message filled at random. Since attacker uses the real IP of broiler chicken, traditional reversed probe algorithm can not identify malicious source IP, to can not mention For effective protection.
One side according to an embodiment of the present invention provides the implementation of several optional prevention policies for Transmission Control Protocol Example.
For TCP class DDoS guard technology, can by reversely detecting, the methods of message retransmission judge whether source IP is pseudo- It makes, is attacked if attacker forges source IP, by reversed probe algorithm or verification algorithm can not be retransmitted, to reach The purpose of protection.
1) DDoS prevention policies: reversed probe algorithm, protection forge the TCP that source IP is initiated and attack process as shown in Figure 1:
Step S102, attacker 101 forge source IP and send attack message to server 105, initiate TCP ddos attack;
Step S104 after safeguard 103 receives message, sends reversed probe messages instead of server;
Step S106 cannot respond to reversed probe messages since source IP is forged, and trust can not be added by forging source IP, attack Flow is hit to be intercepted by safeguard.
The process that normal client responds reversed probe algorithm is as shown in Figure 2:
Step S202, normal client 107 send request message to server 105;
Step S204 after safeguard 103 receives message, sends reversed probe messages instead of server;
Step S206, normal client respond reversed probe messages, and Auto-reconnect;
Trust list is added, to this in source IP where client by step S208, the reversed probe messages of client end response The subsequent packet of IP is let pass;
Step S210, normal client send request message to server again;
Step S212, server returning response message.
2) DDoS prevention policies: verification algorithm is retransmitted, it is as shown in Figure 3 that the TCP attack process that source IP is initiated is forged in protection:
Step S302, attacker 101 send attack message to server, initiate TCP ddos attack;
Step S304 after safeguard receives message, abandons first time request message (the i.e. above-mentioned attack report of the source IP Text);
Step S306, since source IP is to forge, will not retransmission request, attack traffic just intercepts by safeguard.
And normal client meeting retransmission request message, process such as Fig. 4:
Step S402, normal client 107 send request message to server 105;
Step S404 after safeguard receives message, abandons the first time request message of the source IP;
Step S406, normal client retransmission request message;
Trust list is added in source IP where client by step S408, is let pass to the subsequent packet of the IP.
With the upgrading of DDoS Attack Defence gimmick, the real IP of broiler chicken is can be used in attacker, and imitates real user When initiating to send a large amount of this attacking ways of rubbish message and attack server after TCP connection, above-mentioned guard technology meeting Malicious source IP is mistaken for trusted client, and it is added and is trusted, leads to attack traffic transparent transmission.Broiler chicken is around above-mentioned reversed The process of probe algorithm is as shown in Figure 5:
Step S502, attacker 101 send attack message to server 105 using broiler chicken real IP, initiate TCP DDoS Attack;
Step S504 after safeguard 103 receives message, sends reversed probe messages instead of server;
Step S506, the reversed probe messages of client end response where broiler chicken, and Auto-reconnect;
Step S508, the reversed probe messages of client end response where broiler chicken, the source IP where broiler chicken is added trusts List lets pass to the subsequent packet of the IP;
Step S510, the user end to server where broiler chicken send request message again;
Step S512, server returning response message;
Step S514, the user end to server where broiler chicken send a large amount of rubbish messages.
Broiler chicken is as shown in Figure 6 around the process of above-mentioned re-transmission verification algorithm:
Step S602, attacker 101 send attack message to server 105 using broiler chicken real IP;
Step S604 after safeguard receives message, abandons the first time request message of the source IP;
Step S606, the client retransmission request message where broiler chicken;
Trust list is added in the source IP of client where broiler chicken by step S608, is let pass to the subsequent packet of the IP.
Step S610, the user end to server where broiler chicken send a large amount of rubbish messages.
As it can be seen that the methods of above-mentioned reversed detection, message retransmission judge source IP whether be the protectiving scheme of forgery not It proves effective again, the ddos attack that broiler chicken real IP can be used to initiate for attacker can protect algorithm around above-mentioned DDoS, above-mentioned anti- Shield algorithm can not provide effective protection.
One side according to an embodiment of the present invention also provides the implementation of several optional prevention policies for udp protocol Example.
UDP protectiving scheme can be divided into the long limitation of speed limit, characteristic filter, packet, source port filters several protectiving schemes:
1) speed limit protectiving scheme: i.e. according to source IP, destination IP, source port, destination port, protocol number (UDP) five-tuple is done The speed limit of specified threshold intercepts part attack traffic by speed limit strategy, alleviates UDP FLOOD attack;
2) characteristic filter: part UDP attacking ways, the UDP attack message of transmission, which exists, is different from regular traffic message Fixed character string or feature can reach the mesh of protection UDP attack by the way that the UDP message for matching these features is intercepted 's;
3) wrap long restriction strategy: most of UDP service message list packet length will not be too long, and attacker passes through to reach UDP attack message is usually arranged to very big length (usual one by the purpose of attack server bandwidth by UDP attack obstruction It is more than kilobytes), it is based on this scene, the long too long UDP message of packet can be blocked by setting UDP packet long restriction strategy It cuts, realizes UDP attack protection;
4) source port filters: many UDP FLOOD are attacked by the gimmick of reflection amplification, such as SSDP reflection, CHARGEN reflection, SNMP reflection etc..The usual source port of reflection attack is fixed, such as Simple Service Discovery Protocol SSDP (Simple Service Discovery Protocol) reflects source port 1900, CHARGEN reflection source port 19 etc..It can To realize safeguard UDP protection by the way that common reflector port is filtered.
Above scheme can attack UDP and play certain relaxation effect, but still have defect, perfect can not protect The numerous UDP attacks of gimmick:
1) speed limit strategy is disadvantageous in that: existing although speed limit strategy can alleviate UDP attack to a certain extent Tactful normal stream amount and malicious traffic stream indifference speed limit are netted, leads to the presence of the risk for manslaughtering normal discharge, and for forging The attacking ways of source IP, usual attack source quantity is very huge, and speed limit strategy protection effect is poor;
2) characteristic filter is disadvantageous in that: the usage scenario of the strategy is that attack message presence is different from regular traffic report The fixed character string or feature of text, ability effective protection, and in face of undistinguishable attacking ways, it can not play a role;
3) wrap long restriction strategy to be disadvantageous in that: similar with characteristic filter, dependent attack message exists obviously different from just The feature ability effective protection of the message length of normal business, is otherwise difficult to reach protection purpose;
4) source port filtering is disadvantageous in that: in addition to reflection attack, there is no ports to gather by common UDP FLOOD, It in more situations is launched a offensive using random source port, number source port filtering policy is difficult to reach protection purpose.
It can be seen that the above-mentioned protectiving scheme applied to TCP and UDP still has defect, in order to solve these problems, according to this The one side of inventive embodiments additionally provides a kind of embodiment of the method for the transmission method of service message.
Optionally, in the present embodiment, the transmission method of above-mentioned service message can be applied to as shown in Figure 7 by servicing In the hardware environment that device 701, safeguard 703 and terminal 705 are constituted.As shown in fig. 7, server 701 passes through network and end End 705 is attached, and above-mentioned network includes but is not limited to: wide area network, Metropolitan Area Network (MAN) or local area network, terminal 705 be not limited to PC, Mobile phone, tablet computer etc..The transmission method of the service message of the embodiment of the present invention can be executed by safeguard 703, can also To be executed by terminal 705, it can also be and executed jointly by safeguard 703 and terminal 705.Wherein, terminal 705 executes this hair The transmission method of the service message of bright embodiment is also possible to be executed by client mounted thereto.It is as shown in Figure 7:
Step S702, terminal and safeguard share identical watermark computing method, will when terminal sends service message The specified service message position of watermark feature code insertion, is sent to server;
Step S704, safeguard are truncated to the service message of terminal transmission, according to shared watermark computing method, calculate Then watermark condition code out is compared with the watermark in the message received;
Step S706, if they are the same, then explanation is legal service message, and safeguard is let pass, and forwarding service message is to clothes Business device;
Step S708 illustrates to be illegal service message if not identical, and safeguard abandons the service message.
It is illustrated respectively from terminal side and safeguard side below, Fig. 8 is that one kind according to an embodiment of the present invention is optional Service message transmission method flow chart, be applied to terminal side, as shown in figure 8, this method may comprise steps of:
Step S802 fills watermark feature code and message load to the first service message to be sent, wherein watermark is special First group field of sign code is used to indicate the second group field of the watermark feature code to match.
The first above-mentioned object is the transmitting terminal of message, and the second object is the receiving end of message, the first object and second pair It can also be software object, such as software client, webpage client as that can be hardware objects, such as server, terminal.
First service message is alternatively referred to as data packet, as shown in Figure 9 and Figure 10, can be divided into three parts, first part The packet header IP, the packet header UDP for the intrinsic part of message, such as the packet header IP, the packet header TCP in TCP message, in UDP message;Second It is divided into message load, the i.e. payload of message, is used to bearer service data;Part III, that is, watermark feature code part, is used to Watermark finger print information is carried, the watermark feature code of two adjacent service messages is different, such as the first service message and the first business Service message or the first service message before message and the service message after the first service message.
A kind of optional watermark feature is as shown in Figure 9 and Figure 10, for watermark feature code, can be divided into two portions Point, one is the first group field, and the first object notifies the second object watermarking algorithm version used by it by the first group field The information such as sheet, key version, initial field;Secondly being the second group field, it is used to refer to watermark fingerprint, sequence number.
Optionally, watermark feature code and message load are filled to the first service message to be sent can include:
1) target string (initial field) is carried in the second field of the first group field;
2) key instruction information (such as key version) is carried in the third field of the first group field;
3) watermark instruction information (such as watermarking algorithm version) is carried in the 4th field of the first group field;
4) watermark fingerprint is carried in the first field of the second group field;
5) sequence number is carried in the 5th field of the second group field.
Then the watermark feature code for carrying information and message load are filled to the first service message.
First service message is sent to the second object by step S804.
Through the above steps, watermark feature code and message load are filled to the first service message to be sent, watermark is special First group field of sign code is used to indicate the second group field of the watermark feature code to match, and the first service message is sent to the Two objects;Safeguard section is by the first group field in watermark feature code to the second group field progress in watermark feature code Match, obtains matching result;In the case where matching result indicates that the second group field is successfully matched to, by the first service message It is forwarded to the second object, in the case where matching result indicates that the second group field is not successfully matched to, by the first business report Text abandons namely attack message can be filtered by matching operation, influences the net that server provides without reaching server Network service can solve the lower technical problem of the safety of network service in the related technology, and then reaches and improve network service The technical effect of the safety of device.
Figure 11 is the flow chart of the transmission method of optional service message according to an embodiment of the present invention, is set applied to protection Standby, as shown in figure 11, this method may comprise steps of:
Step S1102 obtains the first service message that the first object is sent to the second object, and the first service message includes water Print condition code and message load.
The first above-mentioned object is the transmitting terminal of message, and the second object is the receiving end of message, the first object and second pair It can also be software object, such as software client, webpage client as that can be hardware objects, such as server, terminal.
First service message is alternatively referred to as data packet, can be divided into three parts, and first part is the intrinsic part of message, The packet header IP, the packet header UDP such as the packet header IP, the packet header TCP in TCP message, in UDP message;Second part is message load, that is, is reported The payload of text is used to bearer service data;Part III, that is, watermark feature code part, for carrying watermark finger print information, The watermark feature code of two adjacent service messages is different, such as the business report before the first service message and the first service message Service message after text or the first service message and the first service message.
Step S1104 carries out the second group field in watermark feature code by the first group field in watermark feature code Matching, obtains matching result.
Safeguard can pass through first group of word in watermark feature code using corresponding strategy according to the grade of protection Section matches the second group field in watermark feature code.
For watermark feature code, two parts can be divided into, one is the first group field, and the first object passes through first Group field notifies the information such as the second object its used watermarking algorithm, key;Secondly being the second group field, it is used to refer to water Print fingerprint.
Step S1106, in the case where matching result indicates that the second group field is successfully matched to, by the first business report Text is forwarded to the second object.
In other words, the first object and safeguard for only appointing the usage mode of watermark feature code can just know watermark Watermark fingerprint in condition code, therefore safeguard can detect received business report by the watermark feature code entrained by it Whether text is legal (i.e. the second group field is successfully matched to), if then letting pass, is otherwise abandoned.
S1102 to step S1106 through the above steps obtains the first business report that the first object is sent to the second object Text, the first service message include watermark feature code and message load;By the first group field in watermark feature code to watermark spy The second group field in sign code is matched, and matching result is obtained;Indicate the second group field by successful match in matching result In the case where arriving, the first service message is forwarded to the second object, indicates the second group field not by success in matching result In the case where being fitted on, the first service message is abandoned namely attack message can be filtered by matching operation, without reaching Server influences the network service that server provides, and the lower technology of safety that can solve network service in the related technology is asked Topic, and then reach the technical effect for improving the safety of network server.
In the technical solution that step S1104 is provided, by the first group field in watermark feature code to watermark feature code In the second group field matched, obtaining matching result may include following three technical solutions:
(1) scheme one is detected (first packet inspection) to first service message
Step S12 executes operation indicated by the first group field, obtains operating result.
The first above-mentioned service message can be a service message, the first business report received such as safeguard Text.
Optionally, operation indicated by the first group field is executed, operating result is obtained can include:
Step S122, in the case that the second field in the first group field is target string, according to the first group field The instruction of middle third field obtains cryptographic Hash.
As shown in Figure 9 and Figure 10, i.e. whether detection initial field is fixed character string (i.e. target string), if so, The service message carries watermark feature code;Corresponding hashcode version is obtained according to third field key version, and using should Version hashcode obtains corresponding cryptographic Hash.
Step S124 executes in the first group field indicated by the 4th field the object information of cryptographic Hash and the first object Arithmetic operation obtains operating result.
The object information of the first above-mentioned object may include destination IP, destination slogan, watermark sequence number of terminal etc., The object information of cryptographic Hash and the first object is handled according to the watermarking algorithm version that the 4th field indicates, is obtained The operating result stated.
Step S14 determines that matching result is in operating result situation identical with the first field in the second group field First matching result, wherein the first matching result is used to indicate the second group field and is successfully matched to.
The watermark fingerprint calculated is identical as the watermark fingerprint that service message carries, it is determined that matching result first Matching result;If step S122 any one operation failure or operating result into step S124 is incorrect, such as first group of word The second field in section is not that target string, operating result and the first field in the second group field be not identical, it is determined that It is the 4th matching result with result, the 4th matching result is used to indicate the second group field and is successfully matched to.
It, can be to the first business report in the case that matching result is the first matching result in the slight protection of scheme one All service messages after text are directly let pass, can be to the first business report in the case that matching result is the 4th matching result All service messages after text abandon.
Optionally, hacker is launched a offensive using broiler chicken (by user's machine that virus, wooden horse are occupied) in order to prevent, Ke Yi Matching result be the 4th matching result in the case where, be arranged the first time limit, within the first time limit to the first service message after All service messages abandon, which is because, may user's machine there is the user demand for being really later, can to avoid with The real demand at family is filtered when initiating.
(2) scheme two are detected to the trend of sequence number in service message and (reset and protect)
The first above-mentioned service message, which can be, indicates service message set, is passing through first group of word in watermark feature code When section is matched to obtain matching result to the second group field in watermark feature code, it can be achieved by the steps of:
Step S22, (summation can be denoted as above-mentioned business report to the service message continuously received for above-mentioned safeguard Collected works close), operation indicated by the first group field of execution of service message, obtains operating result one by one.
Detailed process is referring to above-mentioned steps S122 to step S144.
Step S24, for the service message that operating result is calculated, by first in operating result and the second group field Field is matched.
It has been observed that matching result includes the first matching result and the 4th matching result, if the first matching result then records Sequence number in the service message, and using the service message as one in aforesaid plurality of service message, in other words, Duo Geye Business message is the service message that matching result is the first matching result.
If the 4th matching result, and the message is not first message, then the service message is directly let pass: in business There are in the case where the 5th service message and the 6th service message in message set, the 6th service message is forwarded to second pair As the first field in the second group field of the 5th service message is identical as operating result, second group of word of the 6th service message The first field in section and operating result is not identical and the receiving time of the 6th service message is later than the 5th service message.
If above-mentioned 4th matching result, the reason of which is directly let pass, is: at the terminal, some business Data (a such as voice), which can wrap, is packaged as a data packet, and encloses watermark feature code, but by the transmission of the forms such as TCP When, which may be divided into multiple service messages due to overlength, if some service message does not carry watermark feature code, And service message before it carries watermark feature code, illustrates that the service message is divided data packet, rather than attack Message is hit, can directly be let pass.
Step S26, the first field and operation in multiple service messages in the second group field of each service message are tied Fruit is identical and multiple service messages in the second group field in the 5th field (i.e. sequence number) it is different and meet predetermined condition In the case of, determining that matching result is the second matching result, the second matching result is used to indicate the second group field and is successfully matched to, Operating result is that operation indicated by the first group field of execution is obtained.
Optionally it is determined that whether the 5th field in the second group field in multiple service messages meets predetermined condition, it can To include following two implementation:
1) it is determined by the quantity of increasing trend
Step S262 searches the second service message in multiple service messages, and the 5th field is signified in the second service message The sequence number shown is not less than sequence number indicated by the 5th field in third service message and less than the in the 4th service message the 5th Sequence number indicated by field, third service message are adjacent with the second service message in multiple service messages and in the second business The service message received before message, the 4th service message are adjacent with the second service message in multiple service messages and the The service message received after two service messages.
Sequence number of the above-mentioned Serial No. for safeguard record watermark, such as 1-10 (can also be other digital sections), One service message of every transmission, the sequence number value+1 of latter service message.
The second above-mentioned service message is the equal of the inflection point that growth trend occurs, and counts the quantity of the second service message just It is equivalent to the number of statistics growth trend.
Step S264 determines multiple industry in the case where the quantity of the second service message found is less than first threshold The 5th field in the second group field in business message is unsatisfactory for predetermined condition, wherein first threshold is less than multiple service messages Message number, for example, multiple service messages be 10, first threshold 4.
Step S266 is determined multiple in the case where the quantity of the second service message found is not less than first threshold The 5th field in the second group field in service message meets predetermined condition, wherein first threshold is less than multiple service messages Message number.
2) it is determined by linear regression coeffficient
Can be good according to sequential arrangement is received for multiple service messages, in the second group field in multiple service messages The 5th field indicated by sequence number regression coefficient b be greater than 0 in the case where, determine second group of word in multiple service messages The 5th field in section meets predetermined condition,
xiIndicate the reception order of sequence number indicated by the 5th field in i-th of service message, yiIndicate i-th of industry The reception order of sequence number indicated by the 5th field being engaged in message, indicates indicated by the 5th field of multiple service messages Sequence number reception order average value,The average value of sequence number indicated by 5th field of multiple service messages, n are The quantity of multiple service messages.
(3) scheme three, watermark close inspection
If first normal service message grabs and is sent to safeguard by attacker, then the attacker can defraud of The trust of safeguard, therefore " watermark close inspection " can be opened to prevent the appearance of similar incidents.
Optionally, it is multiple service messages of second threshold that the first service message, which includes the quantity continuously received, is passed through The first group field in watermark feature code matches the second group field in watermark feature code, and obtaining matching result includes:
The first field in multiple service messages in the second group field of each service message and operating result not phase With in the case where, determine that matching result is third matching result, third matching result is used to indicate the second group field not by success It is matched to, operating result is that operation indicated by the first group field of execution is obtained.
In other words, normal service message, even if the case where there are subpackages, the quantity of subpackage is also limited (such as second Threshold value), therefore, when there is the case where continuous multiple service messages are to carry hydrological characteristics code, explanation is rogue attacks.
In the technical solution that step S1106 is provided, indicate what the second group field was successfully matched in matching result In the case of, the first service message is forwarded to the second object.
Optionally, for three of the above technical solution, when these technical solutions are applied in TCP communication, for every kind The matching result that technical solution obtains:
1) in the case where matching result indicates that the second group field is successfully matched to, the first object is passed through into the first meeting It talks about to the target service message that the second object is sent and is transmitted to the second object, wherein the first session is the first object to second pair As the session established when sending the first service message, target service message includes the first service message;
2) in the case where matching result indicates that the second group field is not successfully matched to, the first object is abandoned by the The service message that one session is sent to the second object.
Optionally, for above scheme one and scheme two, when these technical solutions are applied in UDP communication, for every The matching result that kind technical solution obtains:
1) in the case where matching result indicates that the second group field is successfully matched to, by the first object to the second object The target service message of transmission is transmitted to the second object, wherein target service message includes the first service message;
2) the second group field in watermark feature code is being matched by the first group field in watermark feature code, is being obtained To after matching result, method further include: in the case where matching result indicates that the second group field is not successfully matched to, lose Abandon the service message that the first object is sent to the second object.
As a kind of optional embodiment, said for applying above-mentioned technical solution in TCP communication below It is bright:
Identical watermark computing method is shared by client and safeguard, when client is given out a contract for a project, by watermark feature Code insertion specified data package location;After safeguard receives message, watermark feature code is checked, valid watermark message is put Row intercepts malicious traffic stream, by this scheme, the ddos attack gimmick that can not be protected with effective protection previous protective algorithm (the rubbish message sent including broiler chicken) avoids business from causing business impaired due to ddos attack.
The basic procedure that TCP watermark protectiving scheme is realized is as shown in Figure 7:
Step S702, the client 701 and safeguard 703 of user enjoy identical watermark computing method, send out in client When sending data packet (i.e. service message), watermark feature code is embedded in specified data package location.Watermark feature code calculation method is such as Shown in Fig. 9.
20 bytes of head after the packet header TCP can such as be added a watermark to, watermark include initial field, algorithm versions, key editions Originally, watermark fingerprint and sequence number.
Initial field (Initial Vector, also known as fixed character string): starting field for safeguard identification watermark, Optionally, each client uniquely corresponds to 64 bit random i lumbers, is generated at random by console according to application identities appid.
Watermarking algorithm version (Algorithm Version): the version of watermark computational algorithm is distinguished for safeguard.
Key version (Key Version): distinguishing watermark version for safeguard, to solve since client is in existing net There is the problems of operation of multiple versions, which is inputted by console for client.
Watermark fingerprint (FootPrint): verifying normal or abnormal behavior for safeguard, and the information is by client according to mentioning The specific field and assignment algorithm of preceding negotiation calculate.
Sequence number (Sequence):, should to solve the problems, such as Replay Attack for the sequence number of safeguard record watermark Problem can be filled in by client, each sequence of message number+1.
Step S704, safeguard 703 receive the packet (also referred to as service message) of client transmission, according to shared watermark Calculation method calculates watermark feature code, is then compared with the watermark in the packet received.Watermark feature code numerical procedure is such as Under:
Watermark fingerprint calculates: FootPrint=watermarking algorithm (destination IP+destination port+Hashcode+Sequence).
A kind of optional watermarking algorithm is CRC32;Symbol "+" indicates step-by-step exclusive or;" Hashcode " can make by oneself for user Adopted field.
Step S706 then illustrates that the data packet received is legal data packet (i.e. service message), safeguard if they are the same It lets pass.
Step S708 illustrates to be illegal data packet (i.e. service message) if not identical, and safeguard abandons.
In the detailed protection process of TCP watermark protectiving scheme, entire protectiving scheme can divide from the angle of software function Module, playback protection module, watermark close inspection module are checked for 3 modules: first packet
1) first packet checks module, and it is as shown in figure 12 to execute first packet check process:
Step S1202, client (including normal users and broiler chicken) initiate TCP three-way handshake to server, establish TCP Connection;
Step S1204, ADS recording conversation, each TCP connection initiated to protection server can be recorded by safeguard And tracking;
Step S1206 after client establishes TCP connection, sends TCP traffic message;
The ADS of step S1208, safeguard carry out stream recombination according to message SEQ (i.e. sequence number), are recombinated by stream, Safeguard confirms first message of the TCP session, and does watermark feature code to the message and check;
Step S1210, ADS check preceding 8 byte (initial field) of first message, if it is correct, if incorrect Step S1212 is executed, it is no to then follow the steps S1214;
Step S1212, if incorrect, which is infected information: dropping packets;Safeguard is to client kimonos Business device send RST message (recipient of RST can distinguish other end execution be it is abnormal close or normal switching-off), with the company of disconnection It connects;It and is abnormal session the session tokens, i.e. all messages of the session intercept;
Step S1214, safeguard read preceding 9~20 byte (algorithm versions, key version, the watermark fingerprint, sequence of message Row number), watermark fingerprint is then calculated according to watermark fingerprint calculation method, and compare with the watermark fingerprint in message, if Calculate mistake or compare it is inconsistent then follow the steps S1216, it is no to then follow the steps S1218;
Step S1216, if watermark fingerprint calculate failure (such as algorithm versions are not present, key version is not present) or Watermark fingerprint in message calculated with safeguard it is inconsistent, then watermark check fail, the message be infected information: lose Abandon message;Safeguard sends RST message to client and server, disconnects;It and is abnormal meeting the session tokens Words, i.e. all messages of the session intercept.
Step S1218, if watermark check is correct, the message is legal: the message of letting pass;The session tokens at just Often, and the subsequent packet of session is let pass;Records series number.
2) protection module is reset
Reset protection module be in order to avoid attacker obtain normal client first service message after, pass through attack Tool carries out playback and initiates message Replay Attack, and specific steps are as shown in figure 13:
Step S1220, the message after first packet checks module can choose whether to enter and reset protection process, if It is to then follow the steps S1224, it is no to then follow the steps S1222;
After first packet inspection adds trust, it is subsequent all to trust session if not entering playback protection process by step S1222 Message is directly let pass;
Step S1224 resets protection process if opened, and checks that module adds the session of trust to continue tracking inspection to first packet It looks into;
Step S1226,8 bytes before each message audit judge whether preceding 8 word is initial field, if it is executes step Rapid S1230, it is no to then follow the steps S1228;
Step S1228, the initial field if preceding 8 byte check really admits a fault, directly E-Packets, clearance message;
Step S1230, whether the watermark fingerprint and watermark fingerprint in message that comparing calculation goes out are consistent, if preceding 8 byte is examined Looking into confirmation is initial field (also known as fixed character string), then checks preceding 9~20 byte (algorithm versions, key version, water of message Print fingerprint, sequence number), watermark fingerprint is then calculated according to watermark fingerprint calculation method, and do with the watermark fingerprint in message Comparison, both judge it is whether consistent, it is no to then follow the steps S1228 if it is thening follow the steps S1232;
Step S1232, if checking correct, letting pass message and records the sequence number of the message;
Step S1234, safeguard judge the conversation recording to sequence number whether more than M (M indicates configurable), if It is to then follow the steps S1236, no is to then follow the steps S1220.
If being also less than M, illustrate that sequence number record does not complete, return step S1220;
Step S1236, M if more than, illustrates that sequence number quantity has met configuration, Replay Attack analysis can be done And protection, all sequences number to the session counted on above, statistical analysis increasing trend number is done, judges increasing trend Number whether be more than it is N number of, it is no to then follow the steps S1238 if so then execute step S1240;
Step S1238, if increasing trend number be no more than it is N number of, illustrate the session there are playback behavior (attacker use If one normal message constantly plays back, the sequence number of each message is consistent, without any increasing trend), which is malice Session: dropping packets;Safeguard sends RST message to client and server, disconnects;And it is the session tokens All messages of abnormal session, the i.e. session intercept;
Step S1240 illustrates that row is not reset in the session if increasing trend number is more than N number of (N indicates configurable) For subsequent all messages are let pass.
In order to illustrate increasing trend number above-mentioned, it is exemplified below:
It is configured with sequence number total amount on safeguard and requires to be 10, increasing trend requires 4.Then illustrate to reset protection mould Block requires to do replay detection to a session and be to need to record 10 sequence numbers, and after 10 sequence numbers are recorded, it is necessary to have 4 A or more increasing trend could pass through playback protection and check that otherwise session is identified as malice.
As shown in figure 17, abscissa is the reception sequence of each sequence number, and 1 represents first sequence number for receiving record, So analogize;Ordinate is that specifically value (has already mentioned above, normal client sends message every time all can be upper one sequence number On the basis of a message plus 1).
Increasing trend is as shown in black line in Figure 17, if current sequence number is bigger than previous sequence number, is denoted as one and passs Increasing trend, so Figure 17 has 4 increasing trends.
3) watermark close inspection module
Watermark close inspection module is mainly for solution following problems: if hacker passes through packet capturing and captures first normal report Then text is attacked using following manner: establishing TCP session;It is returned using the normal message of capture as first message It puts;After the normal message for playing back capture, the infected information (not having watermark feature code) filled at random is constantly sent.
If attacker uses above-mentioned attacking ways, module can be checked around first packet and resets the anti-of protection module Shield needs the step of entering watermark close inspection module, specifically executing as shown in figure 14 to solve this attack:
Step S1242, the message after first packet checks module can choose whether that entering watermark close inspection protects, It is no to then follow the steps S1244 if it is thening follow the steps S1246.
Step S1244 after first packet inspection adds trust, trusts the subsequent all messages of session and directly lets pass.
Step S1246, if first packet checks that module adds the session of trust to continue to track, right into watermark close inspection Subsequent each message does watermark feature code inspection, and unsuccessfully keeps a record to each watermark check.
Step S1248 judges whether continuously to count on P watermark check failure (i.e. fixed character string or watermark check Failure), it is no to then follow the steps S1244 if so then execute step S1250.
Step S1250, if continuously having counted on P watermark check failure, illustrating the session, there are abnormal behaviours, should Session is malice session: dropping packets.Safeguard sends RST message to client and server, disconnects.And this Session tokens are abnormal session, i.e. all messages of the session intercept.
Using the technical solution of the application, brought beneficial effect at least that:
1) identical watermark computing method is shared by client and safeguard, safeguard can accurately identify client It holds the message sent whether legal, illegal flow is continued to intercept, legitimate traffic is forwarded, and effectively DDoS is protected to attack Hit in addition those aforementioned DDoS prevention policies be difficult to the true broiler chicken protected attack, also can effective protection, greatly improve DDoS protective capacities ensures service stability;
2) protectiving scheme of TCP watermark is provided, server ip, port, user's custom field (hashcode) are passed through And sequence number, calculate watermark fingerprint, can achieve normal users access it is errorless block, the purpose that malicious traffic stream is cleaned completely, And since watermark fingerprint is calculated by algorithm, attacker can not decode watermark fingerprint;
3) the application, which is equivalent to, provides a kind of protectiving scheme for preventing attacker's capture normal message from being reset, attack Person can not realize attack by message playback;
4) the application also corresponds to additionally provide a kind of close inspection mode, can further strengthen the grain of watermark check Degree carries out watermark check to the subsequent packet of session, can first reset normal message to avoid attacker in this way, then send rubbish The attack of message bypasses.
TCP watermark protectiving scheme provided by the present application can be used with server oneself, and can also be provided makes to third party user After accessing the program with, user, ddos attack or even aforementioned DDoS prevention policies is effectively protected to be difficult to the true broiler chicken protected Attack, also can effective protection, greatly improve DDoS protective capacities.
The present invention also provides a kind of optional embodiment, above scheme one and scheme two are applied is in UDP communication Example is illustrated:
Applicant recognizes after analyzing the protectiving scheme of the aforementioned UDP referred to, to use the business of udp protocol to do UDP FLOOD protects extremely difficult reason that can be summarized as the following:
1) udp protocol itself is the unreliable transport protocol for being not based on connection, and no image of Buddha Transmission Control Protocol is the same, can be passed through The behavior of TCP protocol stack does the legitimacy that the gimmicks such as reversed detection, re-transmission judge source IP, that is to say, that can not be from algorithm level Judge whether source IP is legal;
2) the message type of UDP business is more, the feature or field that do not fix, and the attack message of UDP FLOOD Generally also without fixed character, so it is regular traffic message which, which is difficult to differentiate between, from message itself, which is attack message;
3) attacker usually forges source IP and initiates UDP FLOOD, so server will receive very more after attack occurs The request that source IP is sent can not judge that those are malicious source IP at this time, those are normal client ips.
As it can be seen that UDP FLOOD is due to These characteristics, it is legal to be differentiated by modes such as protocol stack behavior, message characteristics Flow and malicious traffic stream, so UDP FLOOD has very big difficult point in protection.
And in the technical solution of the application, identical watermark computing method is shared by client and safeguard, When client is given out a contract for a project, watermark feature code is embedded in specified data package location;After safeguard receives message, to watermark feature code It is checked, valid watermark message is let pass, and all attacks can now be netted with effective protection by intercepting malicious traffic stream by this scheme Mode avoids business from causing business impaired due to ddos attack.
Identical watermark computing method is shared by client and safeguard, safeguard can accurately identify client Whether the message of transmission is legal, and illegal flow is continued to intercept, and legitimate traffic is forwarded, can be all with effective protection UDP FLOOD attack, greatly improves DDoS protective capacities, ensures service stability.It is specifically described below:
The basic usage scenario of UDP watermark protectiving scheme and process are as shown in Figure 7
Step S702, the client 701 and safeguard 703 of user enjoy identical watermark computing method, send out in client When sending data packet (i.e. service message), watermark feature code is embedded in specified data package location.Watermark feature code calculation method is such as Shown in Figure 10.
20 bytes of head after the packet header UDP can such as be added a watermark to, watermark include initial field, algorithm versions, key editions Originally, watermark fingerprint and sequence number.
Initial field (Initial Vector, also known as fixed character string): starting field for safeguard identification watermark, Optionally, each client uniquely corresponds to 64 bit random i lumbers, is generated at random by console according to application identities appid.
Watermarking algorithm version (Algorithm Version): the version of watermark computational algorithm is distinguished for safeguard.
Key version (Key Version): distinguishing watermark version for safeguard, to solve since client is in existing net There is the problems of operation of multiple versions, which is inputted by console for client.
Watermark fingerprint (FootPrint): verifying normal or abnormal behavior for safeguard, and the information is by client according to mentioning The specific field and assignment algorithm of preceding negotiation calculate.
Sequence number (Sequence):, should to solve the problems, such as Replay Attack for the sequence number of safeguard record watermark Problem can be filled in by client, each sequence of message number+1.
Step S704, safeguard 703 receive the packet (also referred to as service message) of client transmission, according to shared watermark Calculation method calculates watermark feature code, is then compared with the watermark in the packet received.Watermark feature code numerical procedure is such as Under:
Watermark fingerprint calculates: watermark fingerprint FootPrint=watermarking algorithm (destination IP+destination port+Hashcode+ Sequence)。
A kind of optional watermarking algorithm is CRC32;Symbol "+" indicates step-by-step exclusive or;" Hashcode " can be for user certainly Define field.
Step S706 then illustrates that the data packet received is legal data packet (i.e. service message), safeguard if they are the same It lets pass.
Step S708 illustrates to be illegal data packet (i.e. service message) if not identical, and safeguard abandons.
It is protected in process in detail in UDP watermark protectiving scheme, entire protectiving scheme can be divided into 2 software modules: watermark Protection module, Replay Attack protection module.
1) process of watermark protection module, execution is as shown in figure 15:
Step S1502, client (including normal users and broiler chicken) send UDP message.
Step S1504, safeguard check 8 bytes (initial field) before UDP message, check whether correctly, It is no to then follow the steps S1506 if it is thening follow the steps S1508.
Step S1506, if initial field mistake, which is infected information, dropping packets.
Step S1508, if initial field is correct, clearance message.Preceding 9~20 byte that safeguard reads message (is calculated Method version, key version, watermark fingerprint, sequence number), watermark fingerprint is then calculated according to watermark fingerprint calculation method, will be calculated Watermark fingerprint out is compared with the watermark fingerprint in message, compare it is whether identical or consistent, if so then execute step S1512, It is no to then follow the steps S1510.
Step S1510, if watermark fingerprint calculate failure (such as algorithm versions are not present, key version is not present) or Watermark fingerprint in message calculated with safeguard it is inconsistent, then watermark check fail, the message be infected information, do It intercepts, and records series number.
Step S1512, if watermark check is correct, message of letting pass.
2) protection module is reset
Reset protection module be in order to avoid attacker obtain normal client service message after, by attack tool into Message Replay Attack is initiated in row playback, and specific steps are as shown in figure 16:
Message after watermark protection module can choose whether to enter and reset protection process, if not entering playback Protect process, after watermark protection module passes through, which (refers to including source IP, destination IP, source port, destination port, agreement Five-tuple, similarly hereinafter) subsequent all messages are directly let pass, and are reset protection process if opened, are carried out following steps.
Step S1514 continues to track to the five-tuple by watermark protection module.
Step S1516,8 bytes before each message audit, checks 8 bytes (initial field) before UDP message, examines It whether correctly to look into, is to execute S1520, it is no to then follow the steps S1518.
Step S1518, if not initial field, then message of letting pass.
Step S1520 checks message if the confirmation of preceding 8 byte check is initial field (also known as fixed character string, similarly hereinafter) Preceding 9~20 byte (algorithm versions, key version, watermark fingerprint, sequence number), then according to watermark fingerprint calculation method calculate Watermark fingerprint out, and being compared with the watermark fingerprint in message, compare it is whether identical or consistent, if so then execute step S1524, It is no to then follow the steps S1522.
Step S1522, if inspection is incorrect, message of letting pass.
Step S1524 records the sequence number of the message if checked correctly.
Step S1526, safeguard judge whether the sequence number that the five-tuple is recorded is more than N number of (N indicates configurable), It is no to then follow the steps S1528 if so then execute step S1530.
Step S1528, if be also less than it is N number of, illustrate sequence number record do not complete, continue records series number.
Step S1530, it is N number of if more than, illustrate that sequence number quantity has met configuration, Replay Attack analysis can be done And protection, linear regression calculating is done to all sequences number for the five-tuple that above-mentioned steps count on, if that calculates returns Coefficient is returned to be greater than 0, i.e. sequence number is in rising trend, illustrates that the five-tuple is the access behavior of normal users, the five-tuple mark It is legal to be denoted as, clearance subsequent packet.If instead regression coefficient be not more than 0, i.e. sequence number does not have in rising trend, illustrate this five There are Replay Attack behaviors for tuple, the five-tuple labeled as illegal, discarding subsequent packet.
It should be noted that regular traffic sequence of message number can constantly be incremented by, and the sequence number of all messages of Replay Attack Unanimously, without increasing trend.In order to protect Replay Attack, need the sequence number to the same five-tuple message keep a record and Analysis statistics.The value of the reception of sequence number sequence and sequence number is done linear regression, by judge regression coefficient whether be greater than 0 come Analysis is regular traffic interaction or Replay Attack.
It is configured with sequence number total amount on safeguard and requires to be 10, after receiving and being recorded 10 sequence numbers, to sequence The reception order of row number and the assignment of sequence number are linear regression, xiRepresent the order of sequence number, yiRepresent specific sequence number Value,The average value of order is represented,The average value of sequence number is represented, calculation formula is as follows:
Above-mentionedIt can also be denoted as b, as shown in figure 18, abscissa represents order for calculated result citing, and ordinate represents specific Sequence number, black line represents regression straight line, and point represents service message.It is that linear regression calculates the result is that regression coefficient to be greater than 0 (straight Line slope is greater than 0 °), illustrate that sequence number is in rising trend.
In the technical solution of the application:
1) protectiving scheme of UDP watermark is provided, server ip, port, user's custom field (hashcode) are passed through And sequence number, calculate watermark fingerprint.Can achieve normal users access it is errorless block, the purpose that malicious traffic stream is cleaned completely, And since watermark fingerprint is calculated by algorithm, attacker can not decode watermark fingerprint;
2) a kind of protectiving scheme that attacker's capture normal message is reset is additionally provided.Attacker can not pass through message It resets to realize attack.
The application offer is that UDP watermark protectiving scheme is provided to third party user (such as cloud storage application) use, user After accessing the program, all UDP attacking ways can be effectively covered, while regular traffic flow or not user's body without influence It tests, greatly improves DDoS protective capacities.
It should be noted that for the various method embodiments described above, for simple description, therefore, it is stated as a series of Combination of actions, but those skilled in the art should understand that, the present invention is not limited by the sequence of acts described because According to the present invention, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art should also know It knows, the embodiments described in the specification are all preferred embodiments, and related actions and modules is not necessarily of the invention It is necessary.
Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation The method of example can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but it is very much In the case of the former be more preferably embodiment.Based on this understanding, technical solution of the present invention is substantially in other words to existing The part that technology contributes can be embodied in the form of software products, which is stored in a storage In medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, calculate Machine, server or network equipment etc.) execute method described in each embodiment of the present invention.
Other side according to an embodiment of the present invention additionally provides a kind of for implementing the transmission side of above-mentioned service message The transmitting device of the service message of method.Figure 19 is the signal of the transmitting device of optional service message according to an embodiment of the present invention Figure, can be used as a part of terminal, as shown in figure 19, the apparatus may include: fills unit 1901 and transmission unit 1903.
Fills unit 1901, for filling watermark feature code and message load to the first service message to be sent, In, the first group field of watermark feature code is used to indicate the second group field of the watermark feature code to match.
Optionally, fills unit is also used to: target string is carried in the second field of the first group field, at first group Key is carried in the third field of field and indicates information, and watermark is carried in the 4th field of the first group field and indicates information, First field of the second group field carries watermark fingerprint, carries sequence number in the 5th field of the second group field;Letter will be carried The watermark feature code and message load of breath are filled to the first service message.
By above-mentioned module, watermark feature code and message load are filled to the first service message to be sent, watermark is special First group field of sign code is used to indicate the second group field of the watermark feature code to match, and first service message is sent To the second object;Safeguard section by the first group field in watermark feature code to the second group field in watermark feature code into Row matching, obtains matching result;In the case where matching result indicates that the second group field is successfully matched to, by the first business Message is forwarded to the second object, in the case where matching result indicates that the second group field is not successfully matched to, by the first industry Business packet loss namely attack message can be filtered by matching operation, influence server offer without reaching server Network service, can solve the lower technical problem of the safety of network service in the related technology, and then reach raising network The technical effect of the safety of server.
Other side according to an embodiment of the present invention additionally provides a kind of for implementing the transmission side of above-mentioned service message The transmitting device of the service message of method.Figure 20 is the signal of the transmitting device of optional service message according to an embodiment of the present invention Figure, can be used as a part of safeguard, as shown in figure 20, the apparatus may include: acquiring unit 2001, matching unit 2003 and retransmission unit 2005.
Acquiring unit 2001, the first service message sent for obtaining the first object to the second object, wherein the first industry Business message includes watermark feature code and message load;
Matching unit 2003, for passing through the first group field in watermark feature code to second group of word in watermark feature code Duan Jinhang matching, obtains matching result;
Retransmission unit 2005, in the case where matching result indicates that the second group field is successfully matched to, by One service message is forwarded to the second object.
It should be noted that the acquiring unit 2001 in the embodiment can be used for executing the step in the embodiment of the present application S1102, the matching unit 2003 in the embodiment can be used for executing the step S1104 in the embodiment of the present application, the embodiment In retransmission unit 2005 can be used for executing the step S1106 in the embodiment of the present application.
Herein it should be noted that above-mentioned module is identical as example and application scenarios that corresponding step is realized, but not It is limited to above-described embodiment disclosure of that.It should be noted that above-mentioned module as a part of device may operate in as In hardware environment shown in Fig. 7, hardware realization can also be passed through by software realization.
By above-mentioned module, the first service message that the first object is sent to the second object, the first service message packet are obtained Include watermark feature code and message load;By the first group field in watermark feature code to the second group field in watermark feature code It is matched, obtains matching result;In the case where matching result indicates that the second group field is successfully matched to, by the first industry Business message is forwarded to the second object, in the case where matching result indicates that the second group field is not successfully matched to, by first Service message abandons namely attack message can be filtered by matching operation, mentions without reaching server influence server The network service of confession can solve the lower technical problem of the safety of network service in the related technology, and then reach raising net The technical effect of the safety of network server.
In an alternative embodiment, above-mentioned matching unit can include: execution module, for executing the first group field Indicated operation, obtains operating result;First matching module, for the first field in operating result and the second group field In identical situation, determine that matching result is the first matching result, wherein the first matching result is used to indicate the second group field quilt It is successfully matched to.
Optionally, above-mentioned execution module can also be used in: the second field in the first group field is the feelings of target string Under condition, cryptographic Hash is obtained according to the instruction of third field in the first group field;The object information of cryptographic Hash and the first object is held Arithmetic operation indicated by the 4th field, obtains operating result in the first group field of row.
In another alternative embodiment, the first above-mentioned service message includes multiple service messages, above-mentioned matching Unit can include: the second matching module, for first in the second group field of service message each in multiple service messages The 5th field in the second group field in field service messages identical and multiple from operating result is different and meets predetermined condition In the case where, determine that matching result is the second matching result, wherein the second matching result is used to indicate the second group field by success It is matched to, operating result is that operation indicated by the first group field of execution is obtained.
Optionally, above-mentioned second matching module is determined in the second group field in multiple service messages by following steps Whether the 5th field meets predetermined condition
Search the second service message in multiple service messages, wherein in the second service message indicated by the 5th field Sequence number is not less than sequence number indicated by the 5th field in third service message and less than the 5th field in the 4th service message Indicated sequence number, third service message are adjacent with the second service message in multiple service messages and in the second service messages The service message received before, the 4th service message are adjacent with the second service message in multiple service messages and in the second industry The service message received after business message;
In the case where the quantity of the second service message found is less than first threshold, determine in multiple service messages The 5th field in second group field is unsatisfactory for predetermined condition, wherein first threshold is less than the message number of multiple service messages;
In the case where the quantity of the second service message found is not less than first threshold, determine in multiple service messages The second group field in the 5th field meet predetermined condition, wherein first threshold be less than multiple service messages message number.
Optionally, above-mentioned second matching module can also determine the second group field in multiple service messages by following steps In the 5th field whether meet predetermined condition and include:
The regression coefficient b of sequence number indicated by the 5th field in the second group field in multiple service messages is greater than In the case where 0, determine that the 5th field in the second group field in multiple service messages meets predetermined condition,
xiIndicate the reception order of sequence number indicated by the 5th field in i-th of service message, yiIndicate i-th of industry The reception order of sequence number indicated by the 5th field being engaged in message,It indicates indicated by the 5th field of multiple service messages Sequence number reception order average value,The average value of sequence number indicated by 5th field of multiple service messages, n are The quantity of multiple service messages.
Optionally, above-mentioned matching unit can include: the first forwarding module, for there are the 5th industry in multiple service messages It is engaged in the 6th service message being forwarded to the second object, wherein the 5th service message in the case where message and the 6th service message The first field in second group field is identical as operating result, the first field in the second group field of the 6th service message and behaviour Make that result is not identical and the receiving time of the 6th service message is later than the 5th service message.
In optional embodiment again, the first above-mentioned service message includes that the quantity continuously received is second threshold Multiple service messages, above-mentioned matching unit can include: third matching module, in multiple service messages each business In the case that the first field and operating result in second group field of message are all different, determine matching result for third matching As a result, wherein third matching result is used to indicate the second group field and is not successfully matched to, and operating result is to execute first group of word Operation indicated by section is obtained.
In an alternative embodiment, retransmission unit can include: the second forwarding module, for being indicated in matching result In the case that second group field is successfully matched to, the first object is passed through into the target service that the first session is sent to the second object Message is transmitted to the second object, wherein the first session is that the first object is established when sending the first service message to the second object Session, target service message include the first service message;First discard module, for indicating the second group field in matching result In the case where not being successfully matched to, abandons the first object and pass through the service message that the first session is sent to the second object.
Using the technical solution of the application, brought beneficial effect at least that:
1) identical watermark numerical procedure is shared by client and safeguard, safeguard can accurately identify client It holds the message sent whether legal, illegal flow is continued to intercept, legitimate traffic is forwarded, and effectively DDoS is protected to attack Hit in addition those aforementioned DDoS prevention policies be difficult to the true broiler chicken protected attack, also can effective protection, greatly improve DDoS protective capacities ensures service stability;
2) protectiving scheme of TCP watermark is provided, server ip, port, user's custom field (hashcode) are passed through And sequence number, calculate watermark fingerprint, can achieve normal users access it is errorless block, the purpose that malicious traffic stream is cleaned completely, And since watermark fingerprint is calculated by algorithm, attacker can not decode watermark fingerprint;
3) the application, which is equivalent to, provides a kind of protectiving scheme for preventing attacker's capture normal message from being reset, attack Person can not realize attack by message playback;
4) the application also corresponds to additionally provide a kind of close inspection mode, can further strengthen the grain of watermark check Degree carries out watermark check to the subsequent packet of session, can first reset normal message to avoid attacker in this way, then send rubbish The attack of message bypasses.
In another alternative embodiment, retransmission unit can include: third forwarding module, for being indicated in matching result In the case that the second group field is successfully matched to out, the target service message that the first object is sent to the second object is transmitted to Second object, wherein target service message includes the first service message;Second discard module, for being indicated in matching result In the case that second group field is not successfully matched to, the service message that the first object is sent to the second object is abandoned.
Through the foregoing embodiment, the protectiving scheme of UDP watermark is provided, server ip, port, the customized word of user are passed through Section (hashcode) and sequence number, calculate watermark fingerprint.Can achieve normal users access it is errorless block, malicious traffic stream is complete The purpose of cleaning, and since watermark fingerprint is calculated by algorithm, attacker can not decode watermark fingerprint;Additionally provide one Kind attacker captures the protectiving scheme that normal message is reset.Attacker can not realize attack by message playback.
Herein it should be noted that above-mentioned module is identical as example and application scenarios that corresponding step is realized, but not It is limited to above-described embodiment disclosure of that.It should be noted that above-mentioned module as a part of device may operate in as In hardware environment shown in Fig. 7, hardware realization can also be passed through by software realization, wherein hardware environment includes network Environment.
Other side according to an embodiment of the present invention additionally provides a kind of for implementing the transmission side of above-mentioned service message The server or terminal of method.
Figure 21 is a kind of structural block diagram of terminal according to an embodiment of the present invention, and as shown in figure 21, which may include: One or more (one is only shown in Figure 21) processors 2101, memory 2103 and (such as above-mentioned implementation of transmitting device 2105 Sending device in example), as shown in figure 21, which can also include input-output equipment 2107.
Wherein, memory 2103 can be used for storing software program and module, such as the service message in the embodiment of the present invention Transmission method and the corresponding program instruction/module of device, processor 2101 by operation be stored in it is soft in memory 2103 Part program and module realize the transmission side of above-mentioned service message thereby executing various function application and data processing Method.Memory 2103 may include high speed random access memory, can also include nonvolatile memory, such as one or more magnetism Storage device, flash memory or other non-volatile solid state memories.In some instances, memory 2103 can further comprise The memory remotely located relative to processor 2101, these remote memories can pass through network connection to terminal.Above-mentioned net The example of network includes but is not limited to internet, intranet, local area network, mobile radio communication and combinations thereof.
Above-mentioned transmitting device 2105 is used to that data to be received or sent via network, can be also used for processor with Data transmission between memory.Above-mentioned network specific example may include cable network and wireless network.In an example, Transmitting device 2105 includes a network adapter (Network Interface Controller, NIC), can pass through cable It is connected with other network equipments with router so as to be communicated with internet or local area network.In an example, transmission dress 2105 are set as radio frequency (Radio Frequency, RF) module, is used to wirelessly be communicated with internet.
Wherein, specifically, memory 2103 is for storing application program.
The application program that processor 2101 can call memory 2103 to store by transmitting device 2105, it is following to execute Step:
Obtain the first service message that the first object is sent to the second object, wherein the first service message includes watermark spy Levy code and message load;
The second group field in watermark feature code is matched by the first group field in watermark feature code, is obtained With result;
In the case where matching result indicates that the second group field is successfully matched to, the first service message is forwarded to Two objects.
Processor 2101 is also used to execute following step:
Watermark feature code and message load are filled to the first service message to be sent, wherein the of watermark feature code One group field is used to indicate the second group field of the watermark feature code to match;
First service message is sent to the second object.
Using the embodiment of the present invention, the first service message that the first object is sent to the second object, the first business report are obtained Text includes watermark feature code and message load;By the first group field in watermark feature code to second group in watermark feature code Field is matched, and matching result is obtained;In the case where matching result indicates that the second group field is successfully matched to, by One service message is forwarded to the second object, will in the case where matching result indicates that the second group field is not successfully matched to First service message abandons namely attack message can be filtered by matching operation, influences service without reaching server The network service that device provides, can solve the lower technical problem of the safety of network service in the related technology, and then reach and mention The technical effect of the safety of high network server.
Optionally, the specific example in the present embodiment can be with reference to example described in above-described embodiment, the present embodiment Details are not described herein.
It will appreciated by the skilled person that structure shown in Figure 21 is only to illustrate, terminal can be smart phone (such as Android phone, iOS mobile phone), tablet computer, palm PC and mobile internet device (Mobile Internet Devices, MID), the terminal devices such as PAD.Figure 21 it does not cause to limit to the structure of above-mentioned electronic device.For example, terminal is also May include than shown in Figure 21 more perhaps less component (such as network interface, display device) or have and Figure 21 institute Show different configurations.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can It is completed with instructing the relevant hardware of terminal device by program, which can store in a computer readable storage medium In, storage medium may include: flash disk, read-only memory (Read-Only Memory, ROM), random access device (Random Access Memory, RAM), disk or CD etc..
The embodiments of the present invention also provide a kind of storage mediums.Optionally, in the present embodiment, above-mentioned storage medium can With the program code of the transmission method for executing service message.
Optionally, in the present embodiment, above-mentioned storage medium can be located at multiple in network shown in above-described embodiment On at least one network equipment in the network equipment.
Optionally, in the present embodiment, storage medium is arranged to store the program code for executing following steps:
S31 obtains the first service message that the first object is sent to the second object, wherein the first service message includes water Print condition code and message load;
S32 matches the second group field in watermark feature code by the first group field in watermark feature code, obtains To matching result;
S33 forwards the first service message in the case where matching result indicates that the second group field is successfully matched to To the second object.
Optionally, storage medium is also configured to store the program code for executing following steps:
S41 fills watermark feature code and message load to the first service message to be sent, wherein watermark feature code The first group field be used to indicate the second group field of the watermark feature code to match;
First service message is sent to the second object by S42.
Optionally, the specific example in the present embodiment can be with reference to example described in above-described embodiment, the present embodiment Details are not described herein.
Optionally, in the present embodiment, above-mentioned storage medium can include but is not limited to: USB flash disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or The various media that can store program code such as CD.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
If the integrated unit in above-described embodiment is realized in the form of SFU software functional unit and as independent product When selling or using, it can store in above-mentioned computer-readable storage medium.Based on this understanding, skill of the invention Substantially all or part of the part that contributes to existing technology or the technical solution can be with soft in other words for art scheme The form of part product embodies, which is stored in a storage medium, including some instructions are used so that one Platform or multiple stage computers equipment (can be personal computer, server or network equipment etc.) execute each embodiment institute of the present invention State all or part of the steps of method.
In the above embodiment of the invention, it all emphasizes particularly on different fields to the description of each embodiment, does not have in some embodiment The part of detailed description, reference can be made to the related descriptions of other embodiments.
In several embodiments provided herein, it should be understood that disclosed client, it can be by others side Formula is realized.Wherein, the apparatus embodiments described above are merely exemplary, such as the division of the unit, and only one Kind of logical function partition, there may be another division manner in actual implementation, for example, multiple units or components can combine or It is desirably integrated into another system, or some features can be ignored or not executed.Another point, it is shown or discussed it is mutual it Between coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or communication link of unit or module It connects, can be electrical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of software functional units.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also answered It is considered as protection scope of the present invention.

Claims (16)

1. a kind of transmission method of service message characterized by comprising
Obtain the first service message that the first object is sent to the second object, wherein first service message includes watermark spy Levy code and message load;
The second group field in the watermark feature code is matched by the first group field in the watermark feature code, is obtained To matching result;
In the case where the matching result indicates that second group field is successfully matched to, by first service message It is forwarded to second object.
2. the method according to claim 1, wherein by the first group field in the watermark feature code to institute The second group field stated in watermark feature code is matched, and is obtained matching result and is included:
Operation indicated by first group field is executed, operating result is obtained;
In operating result situation identical with the first field in second group field, determine that the matching result is First matching result, wherein first matching result is used to indicate second group field and is successfully matched to.
3. according to the method described in claim 2, it is characterized in that, operation indicated by execution first group field, obtains Operating result includes:
In the case that the second field in first group field is target string, according to third in first group field The instruction of field obtains cryptographic Hash;
The object information of the cryptographic Hash and first object is executed in first group field indicated by the 4th field Arithmetic operation obtains the operating result.
4. the method according to claim 1, wherein first service message includes multiple service messages, In, the second group field in the watermark feature code is matched by the first group field in the watermark feature code, is obtained Include: to matching result
The first field and operating result phase in the multiple service message in second group field of each service message With and the multiple service message in second group field in the 5th field it is different and the case where meet predetermined condition Under, determine that the matching result is the second matching result, wherein second matching result is used to indicate second group field It is successfully matched to, the operating result is that operation indicated by execution first group field is obtained.
5. according to the method described in claim 4, it is characterized in that, being determined in the multiple service message by following steps Whether the 5th field in second group field, which meets the predetermined condition, includes:
Search the second service message in the multiple service message, wherein the 5th field is signified in second service message The sequence number shown is not less than sequence number indicated by the 5th field in third service message and less than the in the 4th service message the 5th Sequence number indicated by field, the third service message are adjacent with second service message in the multiple service message And the service message received before second service message, the 4th service message are in the multiple service message Service message that is adjacent with second service message and being received after second service message;
In the case where the quantity of second service message found is less than first threshold, the multiple service message is determined In second group field in the 5th field be unsatisfactory for the predetermined condition, wherein the first threshold be less than it is described more The message number of a service message;
In the case where the quantity of second service message found is not less than the first threshold, the multiple industry is determined The 5th field in second group field in business message meets the predetermined condition, wherein the first threshold is less than institute State the message number of multiple service messages.
6. according to the method described in claim 5, it is characterized in that, being determined in the multiple service message by following steps Whether the 5th field in second group field, which meets the predetermined condition, includes:
The regression coefficient b of sequence number indicated by the 5th field in second group field in the multiple service message In the case where 0, it is described predetermined to determine that the 5th field in second group field in the multiple service message meets Condition,
xiIndicate the reception order of sequence number indicated by the 5th field in i-th of service message, yiIndicate i-th of business report The reception order of sequence number indicated by the 5th field in text,It indicates indicated by the 5th field of the multiple service message Sequence number reception order average value,Sequence number indicated by 5th field of the multiple service message is averaged Value, n are the quantity of the multiple service message.
7. according to the method described in claim 4, it is characterized in that, passing through the first group field pair in the watermark feature code The second group field in the watermark feature code is matched, during obtaining matching result, the method also includes:
There are in the case where the 5th service message and six service messages in the multiple service message, by the 6th business Message is forwarded to second object, wherein the first field and behaviour in second group field of the 5th service message Make that result is identical, the first field in second group field of the 6th service message and operating result is not identical and institute The receiving time for stating the 6th service message is later than the 5th service message.
8. the method according to claim 1, wherein first service message includes the quantity continuously received For multiple service messages of second threshold, wherein by the first group field in the watermark feature code to the watermark feature The second group field in code is matched, and obtaining matching result includes:
The first field and operating result in the multiple service message in second group field of each service message is equal In different situation, determine that the matching result is third matching result, wherein the third matching result is used to indicate institute It states the second group field not to be successfully matched to, the operating result is obtained by executing operation indicated by first group field 's.
9. method as claimed in any of claims 1 to 8, which is characterized in that
In the case where the matching result indicates that second group field is successfully matched to, by first service message Being forwarded to second object includes: to indicate the case where second group field is successfully matched in the matching result Under, first object is transmitted to described second pair to the target service message that second object is sent by the first session As, wherein the first session first object is established when sending first service message to second object Session, the target service message include first service message;
The second group field in the watermark feature code is being matched by the first group field in the watermark feature code, After obtaining matching result, the method also includes: indicate second group field not by success in the matching result In the case where being fitted on, the service message that first object is sent by first session to second object is abandoned.
10. method as claimed in any of claims 1 to 6, which is characterized in that indicate institute in the matching result It states in the case that the second group field is successfully matched to, first service message, which is forwarded to second object, includes:
In the case where the matching result indicates that second group field is successfully matched to, by first service message Being forwarded to second object includes: to indicate the case where second group field is successfully matched in the matching result Under, first object is transmitted to second object to the target service message that second object is sent, wherein described Target service message includes first service message;
The second group field in the watermark feature code is being matched by the first group field in the watermark feature code, After obtaining matching result, the method also includes: indicate second group field not by success in the matching result In the case where being fitted on, the service message that first object is sent to second object is abandoned.
11. a kind of transmission method of service message characterized by comprising
Watermark feature code and message load are filled to the first service message to be sent, wherein the of the watermark feature code One group field is used to indicate the second group field of the watermark feature code to match;
First service message is sent to the second object.
12. according to the method for claim 11, which is characterized in that filling watermark feature code and message load to be sent The first service message include:
Target string is carried in the second field of first group field, is taken in the third field of first group field Band key indicates information, and watermark is carried in the 4th field of first group field and indicates information, in second group field The first field carry watermark fingerprint, second group field the 5th field carry sequence number;
The watermark feature code for carrying information and the message load are filled to first service message.
13. a kind of transmitting device of service message characterized by comprising
Acquiring unit, the first service message sent for obtaining the first object to the second object, wherein the first business report Text includes watermark feature code and message load;
Matching unit, for by the first group field in the watermark feature code to second group of word in the watermark feature code Duan Jinhang matching, obtains matching result;
Retransmission unit, in the case where the matching result indicates that second group field is successfully matched to, by institute It states the first service message and is forwarded to second object.
14. a kind of transmitting device of service message characterized by comprising
Fills unit, for filling watermark feature code and message load to the first service message to be sent, wherein the water First group field of print condition code is used to indicate the second group field of the watermark feature code to match;
Transmission unit, for first service message to be sent to the second object.
15. a kind of storage medium, which is characterized in that the storage medium includes the program of storage, wherein when described program is run Execute method described in 1 to 12 any one of the claims.
16. a kind of electronic device, including memory, processor and it is stored on the memory and can transports on the processor Capable computer program, which is characterized in that the processor executes the claims 1 to 12 by the computer program Method described in one.
CN201810085054.0A 2018-01-29 2018-01-29 Service message transmission method and device, storage medium and electronic device Active CN110099027B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810085054.0A CN110099027B (en) 2018-01-29 2018-01-29 Service message transmission method and device, storage medium and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810085054.0A CN110099027B (en) 2018-01-29 2018-01-29 Service message transmission method and device, storage medium and electronic device

Publications (2)

Publication Number Publication Date
CN110099027A true CN110099027A (en) 2019-08-06
CN110099027B CN110099027B (en) 2021-09-28

Family

ID=67441895

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810085054.0A Active CN110099027B (en) 2018-01-29 2018-01-29 Service message transmission method and device, storage medium and electronic device

Country Status (1)

Country Link
CN (1) CN110099027B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110752996A (en) * 2019-10-24 2020-02-04 杭州迪普信息技术有限公司 Message forwarding method and device
CN111314358A (en) * 2020-02-21 2020-06-19 深圳市腾讯计算机系统有限公司 Attack protection method, device, system, computer storage medium and electronic equipment
CN111404877A (en) * 2020-02-24 2020-07-10 联合汽车电子有限公司 Message transmission method and system
CN112134893A (en) * 2020-09-25 2020-12-25 杭州迪普科技股份有限公司 Internet of things safety protection method and device, electronic equipment and storage medium
CN112187793A (en) * 2020-09-28 2021-01-05 绿盟科技集团股份有限公司 Protection method and device for ACK Flood attack
WO2022033157A1 (en) * 2020-08-11 2022-02-17 华为技术有限公司 Network attack defense method, and cp device and up device
CN114285620A (en) * 2021-12-20 2022-04-05 北京安天网络安全技术有限公司 Network threat monitoring method and device and electronic equipment
CN114553452A (en) * 2020-11-25 2022-05-27 华为技术有限公司 Attack defense method and protection equipment
CN114679425B (en) * 2022-03-24 2024-05-31 深圳震有科技股份有限公司 Message processing method, network equipment and storage medium under 5G network

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040187032A1 (en) * 2001-08-07 2004-09-23 Christoph Gels Method, data carrier, computer system and computer progamme for the identification and defence of attacks in server of network service providers and operators
CN101030889A (en) * 2007-04-18 2007-09-05 杭州华为三康技术有限公司 Method and apparatus against attack
CN103347016A (en) * 2013-06-28 2013-10-09 天津汉柏汉安信息技术有限公司 Attack defense method
CN104917765A (en) * 2015-06-10 2015-09-16 杭州华三通信技术有限公司 Attack prevention method, and equipment
CN105491060A (en) * 2015-12-30 2016-04-13 北京神州绿盟信息安全科技股份有限公司 Method and device for defending attack of distribution denial of service (DDOS), client and defense device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040187032A1 (en) * 2001-08-07 2004-09-23 Christoph Gels Method, data carrier, computer system and computer progamme for the identification and defence of attacks in server of network service providers and operators
CN101030889A (en) * 2007-04-18 2007-09-05 杭州华为三康技术有限公司 Method and apparatus against attack
CN103347016A (en) * 2013-06-28 2013-10-09 天津汉柏汉安信息技术有限公司 Attack defense method
CN104917765A (en) * 2015-06-10 2015-09-16 杭州华三通信技术有限公司 Attack prevention method, and equipment
CN105491060A (en) * 2015-12-30 2016-04-13 北京神州绿盟信息安全科技股份有限公司 Method and device for defending attack of distribution denial of service (DDOS), client and defense device

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110752996A (en) * 2019-10-24 2020-02-04 杭州迪普信息技术有限公司 Message forwarding method and device
CN111314358A (en) * 2020-02-21 2020-06-19 深圳市腾讯计算机系统有限公司 Attack protection method, device, system, computer storage medium and electronic equipment
CN111404877A (en) * 2020-02-24 2020-07-10 联合汽车电子有限公司 Message transmission method and system
WO2022033157A1 (en) * 2020-08-11 2022-02-17 华为技术有限公司 Network attack defense method, and cp device and up device
CN112134893A (en) * 2020-09-25 2020-12-25 杭州迪普科技股份有限公司 Internet of things safety protection method and device, electronic equipment and storage medium
CN112134893B (en) * 2020-09-25 2023-08-29 杭州迪普科技股份有限公司 Internet of things safety protection method and device, electronic equipment and storage medium
CN112187793A (en) * 2020-09-28 2021-01-05 绿盟科技集团股份有限公司 Protection method and device for ACK Flood attack
CN112187793B (en) * 2020-09-28 2022-09-16 绿盟科技集团股份有限公司 Protection method and device for ACK Flood attack
CN114553452A (en) * 2020-11-25 2022-05-27 华为技术有限公司 Attack defense method and protection equipment
CN114553452B (en) * 2020-11-25 2023-06-02 华为技术有限公司 Attack defense method and protection equipment
CN114285620A (en) * 2021-12-20 2022-04-05 北京安天网络安全技术有限公司 Network threat monitoring method and device and electronic equipment
CN114679425B (en) * 2022-03-24 2024-05-31 深圳震有科技股份有限公司 Message processing method, network equipment and storage medium under 5G network

Also Published As

Publication number Publication date
CN110099027B (en) 2021-09-28

Similar Documents

Publication Publication Date Title
CN110099027A (en) Transmission method and device, storage medium, the electronic device of service message
Yaar et al. Pi: A path identification mechanism to defend against DDoS attacks
Schuba et al. Analysis of a denial of service attack on TCP
US7930740B2 (en) System and method for detection and mitigation of distributed denial of service attacks
CN101529386B (en) Behavior-based traffic differentiation to defend against distributed denial of service(DDOS) attacks
KR101217647B1 (en) Method and apparatus for defending against denial of service attacks in IP networks based on specified source/destination IP address pairs
WO2006039529A2 (en) Network overload detection and mitigation system and method
Gavaskar et al. Three counter defense mechanism for TCP SYN flooding attacks
Apiecionek et al. Quality of services method as a DDoS protection tool
CN110198293A (en) Attack guarding method, device, storage medium and the electronic device of server
CN109005175A (en) Network protection method, apparatus, server and storage medium
CN111800401B (en) Service message protection method, device, system and computer equipment
KR20080026122A (en) Method for defending against denial of service attacks in ip networks by target victim self-identification and control
JP2004140524A (en) Method and apparatus for detecting dos attack, and program
CN101431521A (en) Anti-Trojan network security system and method
CN1326365C (en) Worm blocking system and method using hardware-based pattern matching
CN110213204A (en) Attack guarding method and device, equipment and readable storage medium storing program for executing
Subbulakshmi et al. A unified approach for detection and prevention of DDoS attacks using enhanced support vector machines and filtering mechanisms
CN109688136A (en) A kind of detection method, system and the associated component of spoofed IP attack
CN104348785B (en) The method, apparatus and system for preventing host PMTU from attacking in IPv6 nets
Simon et al. AS-based accountability as a cost-effective DDoS defense
CN108965309A (en) A kind of data transmission processing method, device, system and equipment
Rodriguez et al. FLF4DoS. Dynamic DDoS Mitigation based on TTL field using fuzzy logic.
JP5009200B2 (en) Network attack detection device and defense device
Smith et al. Comparison of operating system implementations of SYN flood defenses (cookies)

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant