CN116232690A - DDOS attack resistance method and device, intelligent network card, medium and product - Google Patents

DDOS attack resistance method and device, intelligent network card, medium and product Download PDF

Info

Publication number
CN116232690A
CN116232690A CN202310037310.XA CN202310037310A CN116232690A CN 116232690 A CN116232690 A CN 116232690A CN 202310037310 A CN202310037310 A CN 202310037310A CN 116232690 A CN116232690 A CN 116232690A
Authority
CN
China
Prior art keywords
access request
request packet
connection
syn
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310037310.XA
Other languages
Chinese (zh)
Inventor
朱敏
李桧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuxi Muchuang Integrated Circuit Design Co ltd
Original Assignee
Wuxi Muchuang Integrated Circuit Design Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuxi Muchuang Integrated Circuit Design Co ltd filed Critical Wuxi Muchuang Integrated Circuit Design Co ltd
Priority to CN202310037310.XA priority Critical patent/CN116232690A/en
Publication of CN116232690A publication Critical patent/CN116232690A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure provides a method, a device, an intelligent network card, a medium and a product for resisting DDOS attack, which can be applied to the technical field of network transmission. The method comprises the following steps: and receiving an access request packet sent to the server by the client, judging whether the access request packet is attacked by the DDOS, and responding to the access request packet under the condition that the access request packet is attacked by the DDOS. On one hand, the response is realized by using hardware through the intelligent network card, compared with the firewall server, the performance is higher, on the other hand, the response operation is integrated into the intelligent network card, a server does not need to be independently configured to serve as a firewall mechanism, the intelligent network card directly replies the access request packet, the access request packet does not need to be uploaded to the server, the server resource is not occupied, and the DDOS attack is effectively resisted.

Description

DDOS attack resistance method and device, intelligent network card, medium and product
Technical Field
The disclosure relates to the field of network transmission, and in particular relates to a method and a device for resisting DDOS attacks, an intelligent network card, a medium and a product.
Background
Distributed denial of service attacks (DDOS, distributed Denial of Service) refer to multiple attackers at different locations simultaneously launching an attack on one or several targets, or an attacker controlling multiple machines at different locations and utilizing these machines to simultaneously launch an attack on a victim. Since the points of attack are distributed across different locations, such attacks are known as distributed denial of service attacks, where there may be multiple ones.
One of the most common ways to resist DDOS attacks is to build a firewall, but this way still solves DDOS attacks in software, which has particularly high performance requirements for servers acting as firewalls.
Disclosure of Invention
In view of the above, the present disclosure provides a method, apparatus, intelligent network card, medium and product for resisting DDOS attack.
According to a first aspect of the present disclosure, there is provided a method for resisting DDOS attack, applied to an intelligent network card, where the intelligent network card is disposed on a server, the method including:
receiving an access request packet sent to the server by a client;
judging whether the access request packet is attacked by DDOS or not;
in the event that the access request packet is under DDOS attack, responding to the access request packet.
In an embodiment of the disclosure, the responding to the access request packet includes:
analyzing the protocol type of the access request packet, wherein the protocol type comprises an ICMP type and a TCP type;
replying the access request packet to the client under the condition that the protocol type is the ICMP type;
and under the condition that the protocol type is the TCP type, determining the connection stage of the access request packet, and responding to the access request packet according to the connection stage of the access request packet.
In an embodiment of the present disclosure, in a case where the connection phase of the access request packet is a first handshake, the responding to the access request packet according to the connection phase of the access request packet includes:
for the same access request packet, acquiring a currently received SYN message and a carried Seq value, and a historically received SYN message and a carried Seq value;
judging whether a SYN message received in a history and a carried Seq value exist, wherein the SYN message received in the history and the carried Seq value are the same as the SYN message received in the current;
discarding the received SYN message under the condition that a historical received SYN message and a carried Seq value are the same as the current received SYN message and the carried Seq value exist;
and replying the SYN message and the ACK message to the client under the condition that a SYN message received in history and a carried Seq value are not present and are the same as the SYN message received currently and the carried Seq value.
In an embodiment of the present disclosure, in a case where the connection phase of the access request packet is a second handshake, the responding to the access request packet according to the connection phase of the access request packet includes:
constructing a semi-connection waiting list, wherein the semi-connection waiting list is used for storing SYN messages with preset threshold quantity;
Adding the received SYN message into a preset semi-connection waiting list;
judging whether the number of SYN messages in the current semi-connection waiting list is larger than the threshold value or not;
and deleting the target SYN message in the semi-connection waiting list under the condition that the number of SYN messages in the semi-connection waiting list is larger than the threshold value.
In an embodiment of the present disclosure, in a case where the connection phase of the access request packet is a second handshake, the method further includes:
and discarding the SYN message under the condition of receiving the SYN message sent by the same IP address.
In an embodiment of the present disclosure, in a case where the connection phase of the access request packet is a third handshake, the responding to the access request packet according to the connection phase of the access request packet includes:
acquiring a currently received ACK message;
searching SYN messages corresponding to the five-tuple of the ACK message from the semi-connection waiting list;
and under the condition that the SYN message corresponding to the five-tuple of the ACK message is found, removing the SYN message corresponding to the AK message from the semi-connection waiting list, completing the connection of the access request packet, and sending the related information of the access request packet to the server.
In an embodiment of the disclosure, the method further comprises:
judging whether the access request packet has a RST bit or not under the condition that the protocol type is the TCP type;
in the case where the access request packet has a RST bit, the access request packet is discarded.
In an embodiment of the disclosure, the method further comprises:
and uploading the access request packet to the server under the condition that the access request packet is not attacked by the DDOS.
A second aspect of the present disclosure provides a device for resisting DDOS attack, applied to an intelligent network card, where the intelligent network card is disposed on a server, including:
the receiving module is used for receiving an access request packet sent to the server by the client;
the judging module is used for judging whether the access request packet is attacked by the DDOS or not;
and the response module is used for responding to the access request packet under the condition that the access request packet is attacked by the DDOS.
In an embodiment of the disclosure, the response module includes:
the analyzing module is used for analyzing the protocol type of the access request packet, wherein the protocol type comprises an ICMP type and a TCP type;
the first reply module is used for replying the access request packet to the client under the condition that the protocol type is the ICMP type;
And the second reply module is used for determining the connection stage of the access request packet and responding to the access request packet according to the connection stage of the access request packet under the condition that the protocol type is the TCP type.
In an embodiment of the present disclosure, in a case where the connection phase of the access request packet is a first handshake, the responding to the access request packet according to the connection phase of the access request packet includes:
for the same access request packet, acquiring a currently received SYN message and a carried Seq value, and a historically received SYN message and a carried Seq value;
judging whether a SYN message received in a history and a carried Seq value exist, wherein the SYN message received in the history and the carried Seq value are the same as the SYN message received in the current;
discarding the received SYN message under the condition that a historical received SYN message and a carried Seq value are the same as the current received SYN message and the carried Seq value exist;
and replying the SYN message and the ACK message to the client under the condition that a SYN message received in history and a carried Seq value are not present and are the same as the SYN message received currently and the carried Seq value.
In an embodiment of the present disclosure, in a case where the connection phase of the access request packet is a second handshake, the responding to the access request packet according to the connection phase of the access request packet includes:
Constructing a semi-connection waiting list, wherein the semi-connection waiting list is used for storing SYN messages with preset threshold quantity;
adding the received SYN message into a preset semi-connection waiting list;
judging whether the number of SYN messages in the current semi-connection waiting list is larger than the threshold value or not;
and deleting the target SYN message in the semi-connection waiting list under the condition that the number of SYN messages in the semi-connection waiting list is larger than the threshold value.
In an embodiment of the present disclosure, in a case where the connection phase of the access request packet is a second handshake, the apparatus further includes:
and the discarding module is used for discarding the SYN message under the condition of receiving the SYN message sent by the same IP address.
In an embodiment of the present disclosure, in a case where the connection phase of the access request packet is a third handshake, the responding to the access request packet according to the connection phase of the access request packet includes:
acquiring a currently received ACK message;
searching SYN messages corresponding to the five-tuple of the ACK message from the semi-connection waiting list;
and under the condition that the SYN message corresponding to the five-tuple of the ACK message is found, removing the SYN message corresponding to the AK message from the semi-connection waiting list, completing the connection of the access request packet, and sending the related information of the access request packet to the server.
In an embodiment of the disclosure, the apparatus further comprises:
judging whether the access request packet has a RST bit or not under the condition that the protocol type is the TCP type;
in the case where the access request packet has a RST bit, the access request packet is discarded.
In an embodiment of the disclosure, the apparatus further comprises:
and the uploading module is used for uploading the access request packet to the server under the condition that the access request packet is not attacked by the DDOS.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method described above.
A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described method.
A fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above method.
According to the method, the device, the intelligent network card, the medium and the product for resisting the DDOS attack, which are provided by the disclosure, an access request packet sent to the server by a client is received, whether the access request packet is attacked by the DDOS is judged, and the access request packet is responded under the condition that the access request packet is attacked by the DDOS. On one hand, the response is realized by using hardware through the intelligent network card, compared with the firewall server, the performance is higher, on the other hand, the response operation is integrated into the intelligent network card, a server does not need to be independently configured to serve as a firewall mechanism, the intelligent network card directly replies the access request packet, the access request packet does not need to be uploaded to the server, the server resource is not occupied, and the DDOS attack is effectively resisted.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario diagram of a method, apparatus, intelligent network card, medium, and program product for resistance to DDOS attacks according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a method of countering DDOS attacks in accordance with an embodiment of the present disclosure;
fig. 3 schematically illustrates a schematic diagram of a TCP protocol-based three-way handshake according to an embodiment of the disclosure;
FIG. 4 schematically illustrates a flow chart of a method of countering DDOS attacks in the case of a TCP type-based first handshake, according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow chart of a method of countering DDOS attacks in the case of a TCP type based second handshake, according to an embodiment of the present disclosure;
FIG. 6 schematically illustrates a flow chart of a method of countering DDOS attacks in the case of a TCP type based third handshake, according to an embodiment of the present disclosure;
fig. 7 schematically illustrates a flowchart of a method of countering a DDOS attack based on a TCP type scenario in accordance with an embodiment of the present disclosure.
FIG. 8 schematically illustrates a block diagram of a device that is resistant to DDOS attacks in accordance with an embodiment of the present disclosure; and
Fig. 9 schematically illustrates a block diagram of an intelligent network card adapted to implement a method of resistance to DDOS attacks in accordance with an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In the technical scheme of the disclosure, the related processes of collecting, storing, using, processing, transmitting, providing, disclosing, applying and the like of the personal information of the user all conform to the regulations of related laws and regulations, necessary security measures are adopted, and the public order harmony is not violated.
In the technical scheme of the disclosure, the processes of acquiring, collecting, storing, using, processing, transmitting, providing, disclosing, applying and the like of the data all conform to the regulations of related laws and regulations, necessary security measures are adopted, and the public order harmony is not violated.
Intelligent network cards have become a vital foundation device in the field of cloud computing. The intelligent network card can complete the conversion work of network virtualization, so that a user of the bare metal server or the virtual machine can use the intelligent network card like a common network card.
Fig. 1 schematically illustrates an application scenario diagram of a method, an apparatus, an intelligent network card, a medium and a product for resisting DDOS attacks according to an embodiment of the present disclosure.
As shown in fig. 1, in the process of resisting DDOS attack, the intelligent network card of the embodiment of the disclosure receives an access request packet sent by a client to the server, determines whether the access request packet is attacked by DDOS, and responds to the access request packet when the access request packet is attacked by DDOS. On one hand, the response is realized by using hardware through the intelligent network card, compared with the firewall server, the performance is higher, on the other hand, the response operation is integrated into the intelligent network card, a server does not need to be independently configured to serve as a firewall mechanism, the intelligent network card directly replies the access request packet, the access request packet does not need to be uploaded to the server, the server resource is not occupied, and the DDOS attack is effectively resisted.
The method of combating DDOS attacks of the disclosed embodiments will be described in detail below with reference to the scenario described in fig. 1, by means of fig. 2 to 6.
Fig. 2 schematically illustrates a flow chart of a method of countering a DDOS attack in accordance with an embodiment of the present disclosure.
As shown in fig. 2, the method for resisting DDOS attack of this embodiment is applied to an intelligent network card, which is provided in a server, and includes operations S210 to S230.
In operation S210, an access request packet transmitted from the client to the server is received.
In operation S220, it is judged whether the access request packet is attacked by the DDOS;
in operation S230, in case the access request packet is attacked by the DDOS, the access request packet is responded to.
In one embodiment of the present disclosure, the access request packet is uploaded to the server without the access request packet being attacked by the DDOS.
The most common DDOS attack mode is Flood attack, also called flooding attack, flooding attack. The types of Flood attacks include the Internet control message protocol (ICMP, internet Control Message Protocol) type and the transmission control protocol (TCP, transmission Control Protocol) type. Both types occupy server resources by sending massive related messages, rendering the service unusable. Specifically, the Flood attack of the ICMP type means that the attacker continuously sends icmp_echo request message. The Flood attack of the TCP type means that an attacker continuously sends messages of syn, syn_ack, ack and the like.
In one embodiment of the present disclosure, responding to the access request packet in operation S230 includes: analyzing the protocol type of the access request packet, wherein the protocol type comprises an ICMP type and a TCP type, replying the access request packet to the client under the condition that the protocol type is the ICMP type, determining the connection stage of the access request packet under the condition that the protocol type is the TCP type, and responding to the access request packet according to the connection stage of the access request packet.
ICMP is a sub-protocol of the TCP/IP protocol suite for passing control messages between IP hosts, routers. The control message refers to a message of the network itself such as a network is not connected, whether a host is reachable, whether a route is available, and the like. ICMP pass error messages and other network management messages are used to locate network devices, determine source-to-end hop count or round trip time, etc.
When an attacker carries out the Flood attack of the ICMP type, a large number of access request packets of the ICMP type are sent to the server, almost completely occupy the connection resources of the server, and normal TCP connection cannot be established. According to the intelligent network card disclosed by the disclosure, the access request packet sent to the server by the client is received, and under the condition that the access request packet is attacked by the DDOS and the condition that the intelligent network card determines that the protocol type of the access request packet is the ICMP type, the access request packet is not uploaded to the server, but is directly replied to the client by the intelligent network card, so that host resources are not occupied, and the Flood attack is effectively resisted.
TCP is a connection-oriented, reliable, byte stream based transport layer protocol. Among the TCP protocols, the TCP protocol provides a reliable connection service, and the connection is initialized through three handshakes. The purpose of the three-way handshake is to synchronize the sequence numbers and acknowledgement numbers of the two parties of the connection and exchange TCP window size information.
In the related art, fig. 3 illustrates a procedure of establishing a connection by TCP three-way handshake as follows: firstly, a client sends a SYN message to a server, wherein the SYN message contains an initialization serial number of a local terminal, and meanwhile, the connection state of the local terminal is set as SYN-SENT. And then, after receiving the synchronous message, the server responds to the SYN+ACK message to the client, wherein the message comprises the initialization sequence number of the local terminal. And meanwhile, setting the connection state of the local terminal as SYN-RCVD. And finally, after receiving the SYN+ACK of the server, the client sends an ACK message to the server for confirmation, and simultaneously sets the connection state of the client as an ESTABLISHED state. After receiving the ACK message, the server sets the local connection state as ESTABLISHED. The completion of the three-way handshake marks the successful establishment of a TCP connection. The intelligent network card receives the access request packet sent to the server by the client, and when the access request packet is attacked by the DDOS and the intelligent network card determines that the protocol type of the access request packet is the TCP type, the access request packet is not uploaded to the server, but the connection stage of the access request packet is determined, and the access request packet is responded according to the connection stage of the access request packet, so that host resources are not occupied, and the Flood attack is effectively resisted.
Fig. 4 schematically illustrates a flow chart of a method of countering DDOS attacks in the case of a TCP type based first handshake according to an embodiment of the present disclosure.
As shown in fig. 4, the method for resisting DDOS attack of this embodiment is applied to an intelligent network card, which is provided at a server, and includes operations S410 to S430 in addition to operations S210 to S230 shown in fig. 2.
In operation S410, for the same access request packet, the currently received SYN packet and the carried Seq value, the historically received SYN packet and the carried Seq value are obtained.
In operation S420, it is determined whether there is a historical received SYN message and the carried Seq value are the same as the current received SYN message and the carried Seq value.
In operation S430, in the case that there is a historical received SYN message and the carried Seq value is the same as the current received SYN message and the carried Seq value, the received SYN message is discarded.
In operation S440, if there is no SYN message received in history and the Seq value carried by the SYN message is the same as the SYN message received in current and the Seq value carried by the SYN message, the SYN message and the ACK message are replied to the client.
Each byte in the data transmitted by TCP is numbered sequentially, and the Sequence Number (SN/Seq) is the Sequence Number of the first byte of the data transmitted at this time. Each byte in the byte stream transmitted in one TCP connection is numbered sequentially. The starting sequence number of the entire byte stream to be transferred must be set at the connection establishment. The sequence number field value in the header refers to the sequence number of the first byte of the data sent by the current segment. For example, the sequence number of a segment is 301, and the received data is 100 bytes in total. This indicates that: the sequence number of the first byte of the data of the present segment is 301 and the sequence number of the last byte is 400. Obviously, the data sequence number of the next segment (if any) should start from 401, i.e. the sequence number field value of the next segment should be 401. The sequence number of this field is also called "segment sequence number".
According to the embodiment of the disclosure, if the same SYN message and the repeated Seq value are received by the same TCP connection, the message is an illegal message, and the intelligent network card directly discards the illegal message. If the same SYN message is not received by the same TCP connection, the intelligent network card replies the SYN message and the ACK message to the client.
Fig. 5 schematically illustrates a flow chart of a method of countering a DDOS attack in the case of a TCP type based second handshake according to an embodiment of the present disclosure.
As shown in fig. 5, the method for resisting DDOS attack of this embodiment is applied to an intelligent network card, which is provided in a server, and includes operations S510 to S540 in addition to operations S210 to S230 shown in fig. 2.
In operation S510, a semi-connection waiting list is constructed, where the semi-connection waiting list is used to store a preset threshold number of SYN messages.
In operation S520, the received SYN message is added to a preset semi-connection waiting list.
In operation S530, it is determined whether the number of SYN messages in the semi-connection waiting list is currently greater than the threshold.
In operation S540, in the case where the number of SYN messages in the semi-connection waiting list is greater than the threshold, the target SYN message in the semi-connection waiting list is deleted.
In the present disclosure, the target SYN message may be a SYN message that first enters the semi-connection waiting list, or may be a SYN message with a waiting time exceeding a specified value, or may be a message with any other set condition.
In the present disclosure, after the server replies with a syn+ack message. Next, two situations can be distinguished: firstly, legal connection, the client returns an ACK message, and the whole TCP handshake connection is legal connection and is uploaded to a server for subsequent connection and processing; first, in the semi-connected state, the client does not return an ACK message. At this time, the SYN message sent by the client at this time is not considered as a legal request, i.e., a semi-join.
According to the embodiment of the disclosure, the intelligent network card maintains a half-connection waiting list for storing and maintaining the number of the current half-connection. For the TCP connection in the semi-connection state, the intelligent network card can store the TCP connection in the semi-connection waiting list in the intelligent network card to wait for subsequent processing.
The intelligent network card stores the newly added semi-connection into a semi-connection waiting list, and assuming that the total number of SYN messages received in a period of time is recorded as SYN_COUNT and the total number of ACK messages received is recorded as ACK COUNT, the number of the semi-connection to be maintained at present can be obtained by using the following formula:
N half =ACK_COUNT-SYN_COUNT
considering the time window, formula N is used half (T w ) The current time window T can be obtained w In the total number of stored semi-joins. When a time window T w If the number of the semi-connections in the inner part exceeds a preset threshold N th I.e. satisfy formula N half (T w )>N th The value will discard the semi-connection deletion in the head of the semi-connection waiting list (the earliest entry waiting list) and then save the new semi-connection entry waiting list at the end of the list.
If the current formula N half (T w )>N th And not satisfied, i.e., the semi-join waitlist is not full, the waitlist header element need not be deleted. Instead, the new semi-connection is directly entered into the waiting list and stored at the tail of the waiting list.
In an embodiment of the present disclosure, in a case where the connection phase of the access request packet is the second handshake, in a case where a SYN packet sent by the same IP address is received, the SYN packet is discarded. A client in a semi-connected state is recorded in a semi-connected waiting list. If the SYN message of the same IP of the client is received at this time, the intelligent network card can be directly discarded and not processed. Preventing one IP from establishing multiple half-connections simultaneously.
Because there is a packet loss, SYN messages may accumulate much until a certain time, but all the SYN messages cannot receive ACK messages, and in fact, the client has already received the ACK messagesThe SYN message is replied, and only the half-way packet is lost. In an embodiment of the present disclosure, the entire semi-connection latency may be cleared of 0 in a periodic or aperiodic manner. In one example, at regular intervals, T reset For a time period, the whole waiting list is cleared to 0, and simultaneously, the counters SYN_COUNT and ACK_COUNT are cleared to 0 so as to ensure that the condition of infinite waiting and deadlock cannot be caused.
Fig. 6 schematically illustrates a flow chart of a method of countering a DDOS attack in a third handshake case based on TCP type according to an embodiment of the disclosure.
As shown in fig. 6, the method for resisting DDOS attack of this embodiment is applied to an intelligent network card, which is provided at a server, and includes operations S610 to S630 in addition to operations S210 to S230 shown in fig. 2.
In operation S610, the currently received ACK message is acquired.
In operation S620, a SYN message corresponding to the five-tuple of the ACK message is searched for from the semi-connection waiting list.
In operation S630, in the case of finding a SYN message corresponding to the five-tuple of the ACK message, removing the SYN message corresponding to the AK message from the semi-connection waiting list, completing connection of the access request packet, and sending related information of the access request packet to the server.
After the server sends the SYN+ACK message, a socket interface in a semi-connection state is established, a timer is started at the same time, if the ACK message responded by the opposite side is not received within the timeout time, the server can perform timeout retransmission of the SYN+ACK message to the client, so that if the client continuously sends the SYN message and the message responded by the server is left alone, the server continuously creates the socket in the semi-connection state to consume resources, and the server cannot process the normal connection request of the client.
After receiving an ACK packet of a client, the network card of the server traverses a waiting queue from the head, if a TCP connection corresponding to the five-tuple is found, the TCP connection establishment process is directly completed, relevant information is uploaded to the server, and the server performs subsequent TCP connection processing and data transmission.
Fig. 7 schematically illustrates a flowchart of a method of countering a DDOS attack based on a TCP type scenario in accordance with an embodiment of the present disclosure.
As shown in fig. 7, the method for resisting DDOS attack of this embodiment is applied to an intelligent network card, which is provided at a server, and includes operations S610 to S620 in addition to operations S210 to S230 shown in fig. 2.
In operation S710, in case that the protocol type is the TCP type, it is determined whether the access request packet has a RST bit.
In operation S720, in case the access request packet has the RST bit, the access request packet is discarded.
RST indicates a reset to close the connection for the exception. In one example, a TCP connection is established between a and B, and if C falsifies an access request packet of TCP type to B at this time, which abnormally disconnects the TCP connection with a, it is a RST attack.
The intelligent network card judges whether the access request packet has the RST bit under the condition that the protocol type is the TCP type, and discards the access request packet under the condition that the access request packet has the RST bit, so that the problem of RST attack of the TCP type is solved.
Based on the method for resisting the DDOS attack, the present disclosure also provides a device for resisting the DDOS attack. The device will be described in detail below in connection with fig. 8.
Fig. 8 schematically shows a block diagram of a structure of a device that resists DDOS attacks according to an embodiment of the present disclosure.
As shown in fig. 8, the DDOS attack resisting device of this embodiment is applied to an intelligent network card, which is disposed on a server and includes a receiving module 810, a judging module 820 and a responding module 830.
The receiving module 810 is configured to receive an access request packet sent by a client to the server. In an embodiment, the receiving module 810 may be configured to perform the operation S210 described above, which is not described herein.
The decision module 820 is configured to determine whether the access request packet is under DDOS attack. In an embodiment, the determining module 820 may be configured to perform the operation S220 described above, which is not described herein.
The response module 830 is configured to respond to the access request packet in case the access request packet is attacked by the DDOS. In an embodiment, the response module 830 may be configured to perform the operation S230 described above, which is not described herein.
In one embodiment of the present disclosure, the response module 830 includes:
the analyzing module is used for analyzing the protocol type of the access request packet, wherein the protocol type comprises an ICMP type and a TCP type;
the first reply module is used for replying the access request packet to the client under the condition that the protocol type is the ICMP type;
and the second reply module is used for determining the connection stage of the access request packet under the condition that the protocol type is the TCP type, and responding to the access request packet according to the connection stage of the access request packet.
In an embodiment of the present disclosure, in a case where the connection phase of the access request packet is a first handshake, responding to the access request packet according to the connection phase of the access request packet includes:
for the same access request packet, acquiring a currently received SYN message and a carried Seq value, and a historically received SYN message and a carried Seq value;
judging whether a SYN message received in a history and a carried Seq value exist, wherein the SYN message received in the history and the carried Seq value are the same as those of the SYN message received in the current;
discarding the received SYN message under the condition that a historical received SYN message and a carried Seq value are the same as the current received SYN message and the carried Seq value exist;
And if the SYN message received in the history and the carried Seq value are not present and are the same as the SYN message received in the current and the carried Seq value, replying the SYN message and the ACK message to the client.
In an embodiment of the present disclosure, in a case where the connection phase of the access request packet is the second handshake, responding to the access request packet according to the connection phase of the access request packet includes:
constructing a semi-connection waiting list, wherein the semi-connection waiting list is used for storing SYN messages with preset threshold quantity;
adding the received SYN message into a preset semi-connection waiting list;
judging whether the number of SYN messages in the current semi-connection waiting list is larger than the threshold value or not;
and deleting the target SYN message in the semi-connection waiting list under the condition that the number of SYN messages in the semi-connection waiting list is larger than the threshold value.
In an embodiment of the present disclosure, in a case where the connection phase of the access request packet is the second handshake, the apparatus further includes:
and the discarding module is used for discarding the SYN message under the condition of receiving the SYN message sent by the same IP address.
In an embodiment of the present disclosure, in a case where the connection phase of the access request packet is a third handshake, responding to the access request packet according to the connection phase of the access request packet includes:
Acquiring a currently received ACK message;
searching SYN messages corresponding to the five-tuple of the ACK message from the semi-connection waiting list;
and under the condition that the SYN message corresponding to the five-tuple of the ACK message is searched, removing the SYN message corresponding to the AK message from the semi-connection waiting list, completing the connection of the access request packet, and sending the related information of the access request packet to the server.
In an embodiment of the present disclosure, the apparatus further comprises:
judging whether the access request packet has a RST bit or not under the condition that the protocol type is the TCP type;
in the case where the access request packet has a RST bit, the access request packet is discarded.
In an embodiment of the present disclosure, the apparatus further comprises:
and the uploading module is used for uploading the access request packet to the server under the condition that the access request packet is not attacked by the DDOS.
Any of the receiving module 810, the judging module 820, and the responding module 830 may be combined in one module to be implemented, or any of the modules may be split into a plurality of modules according to an embodiment of the present disclosure. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. At least one of the receiving module 810, the determining module 820 and the responding module 830 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or in hardware or firmware in any other reasonable way of integrating or packaging the circuitry, or in any one of or a suitable combination of three of software, hardware and firmware. Alternatively, at least one of the receiving module 810, the judging module 820 and the responding module 830 may be at least partially implemented as a computer program module, which when executed, may perform the corresponding functions.
Fig. 9 schematically illustrates a block diagram of an intelligent network card adapted to implement a method of resistance to DDOS attacks in accordance with an embodiment of the present disclosure.
As shown in fig. 9, the intelligent network card 400 according to the embodiment of the present disclosure includes a processor 401, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 402 or a program loaded from a storage section 408 into a Random Access Memory (RAM) 403. The processor 401 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 401 may also include on-board memory for caching purposes. Processor 401 may include a single processing unit or multiple processing units for performing different actions of the method flows in accordance with embodiments of the disclosure.
In the RAM 403, various programs and data necessary for the operation of the intelligent network card 400 are stored. The processor 401, the ROM 402, and the RAM 403 are connected to each other by a bus 404. The processor 401 performs various operations of the method flow according to the embodiment of the present disclosure by executing programs in the ROM 402 and/or the RAM 403. Note that the program may be stored in one or more memories other than the ROM 402 and the RAM 403. The processor 401 may also perform various operations of the method flow according to the embodiments of the present disclosure by executing programs stored in the one or more memories.
According to embodiments of the present disclosure, the intelligent network card 400 may also include an input/output (I/O) interface 405, the input/output (I/O) interface 405 also being connected to the bus 404. Electronic device 400 may also include one or more of the following components connected to I/O interface 405: an input section 406 including a keyboard, a mouse, and the like; an output portion 407 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker, and the like; a storage section 408 including a hard disk or the like; and a communication section 409 including a network interface card such as a LAN card, a modem, or the like. The communication section 409 performs communication processing via a network such as the internet. The drive 410 is also connected to the I/O interface 405 as needed. A removable medium 411 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed on the drive 410 as needed, so that a computer program read therefrom is installed into the storage section 408 as needed.
In an embodiment of the present disclosure, the processor 401 is a neural network processor (NPU, neural network Processing Unit).
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM402 and/or RAM403 and/or one or more memories other than ROM402 and RAM403 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to perform the methods provided by embodiments of the present disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 401. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed over a network medium in the form of signals, downloaded and installed via the communication portion 409, and/or installed from the removable medium 411. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 409 and/or installed from the removable medium 411. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 401. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (12)

1. The DDOS attack resistance method is characterized by being applied to an intelligent network card, wherein the intelligent network card is arranged on a server, and the method comprises the following steps:
Receiving an access request packet sent to the server by a client;
judging whether the access request packet is attacked by DDOS or not;
in the event that the access request packet is under DDOS attack, responding to the access request packet.
2. The method of claim 1, wherein said responding to said access request packet comprises:
analyzing the protocol type of the access request packet, wherein the protocol type comprises an ICMP type and a TCP type;
replying the access request packet to the client under the condition that the protocol type is the ICMP type;
and under the condition that the protocol type is the TCP type, determining the connection stage of the access request packet, and responding to the access request packet according to the connection stage of the access request packet.
3. The method according to claim 2, wherein in the case where the connection phase of the access request packet is a first handshake, the responding to the access request packet according to the connection phase of the access request packet includes:
for the same access request packet, acquiring a currently received SYN message and a carried Seq value, and a historically received SYN message and a carried Seq value;
Judging whether a SYN message received in a history and a carried Seq value exist, wherein the SYN message received in the history and the carried Seq value are the same as the SYN message received in the current;
discarding the received SYN message under the condition that a historical received SYN message and a carried Seq value are the same as the current received SYN message and the carried Seq value exist;
and replying the SYN message and the ACK message to the client under the condition that a SYN message received in history and a carried Seq value are not present and are the same as the SYN message received currently and the carried Seq value.
4. The method of claim 2, wherein, in the case where the connection phase of the access request packet is a second handshake, the responding to the access request packet according to the connection phase of the access request packet comprises:
constructing a semi-connection waiting list, wherein the semi-connection waiting list is used for storing SYN messages with preset threshold quantity;
adding the received SYN message into a preset semi-connection waiting list;
judging whether the number of SYN messages in the current semi-connection waiting list is larger than the threshold value or not;
and deleting the target SYN message in the semi-connection waiting list under the condition that the number of SYN messages in the semi-connection waiting list is larger than the threshold value.
5. The method of claim 4, wherein in the case where the connection phase of the access request packet is a second handshake, the method further comprises:
and discarding the SYN message under the condition of receiving the SYN message sent by the same IP address.
6. The method according to claim 4, wherein in the case where the connection phase of the access request packet is a third handshake, the responding to the access request packet according to the connection phase of the access request packet comprises:
acquiring a currently received ACK message;
searching SYN messages corresponding to the five-tuple of the ACK message from the semi-connection waiting list;
and under the condition that the SYN message corresponding to the five-tuple of the ACK message is found, removing the SYN message corresponding to the AK message from the semi-connection waiting list, completing the connection of the access request packet, and sending the related information of the access request packet to the server.
7. A method of combating a DDOS attack according to claim 2, wherein said method further comprises:
judging whether the access request packet has a RST bit or not under the condition that the protocol type is the TCP type;
In the case where the access request packet has a RST bit, the access request packet is discarded.
8. The method of combatting a DDOS attack of claim 1, further comprising:
and uploading the access request packet to the server under the condition that the access request packet is not attacked by the DDOS.
9. The utility model provides a resistance device of DDOS attack, its characterized in that is applied to intelligent network card, intelligent network card sets up in the server, includes:
the receiving module is used for receiving an access request packet sent to the server by the client;
the judging module is used for judging whether the access request packet is attacked by the DDOS or not;
and the response module is used for responding to the access request packet under the condition that the access request packet is attacked by the DDOS.
10. An intelligent network card, comprising:
one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-8.
11. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-8.
12. A computer program product comprising a computer program which, when executed by a processor, causes the processor to perform the method according to any one of claims 1 to 8.
CN202310037310.XA 2023-01-10 2023-01-10 DDOS attack resistance method and device, intelligent network card, medium and product Pending CN116232690A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310037310.XA CN116232690A (en) 2023-01-10 2023-01-10 DDOS attack resistance method and device, intelligent network card, medium and product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310037310.XA CN116232690A (en) 2023-01-10 2023-01-10 DDOS attack resistance method and device, intelligent network card, medium and product

Publications (1)

Publication Number Publication Date
CN116232690A true CN116232690A (en) 2023-06-06

Family

ID=86585128

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310037310.XA Pending CN116232690A (en) 2023-01-10 2023-01-10 DDOS attack resistance method and device, intelligent network card, medium and product

Country Status (1)

Country Link
CN (1) CN116232690A (en)

Similar Documents

Publication Publication Date Title
US10284594B2 (en) Detecting and preventing flooding attacks in a network environment
US7162740B2 (en) Denial of service defense by proxy
US7817560B2 (en) Acknowledging packet receipt based on expected size of sender's congestion window
US8074275B2 (en) Preventing network denial of service attacks by early discard of out-of-order segments
US10218733B1 (en) System and method for detecting a malicious activity in a computing environment
CN110266678B (en) Security attack detection method and device, computer equipment and storage medium
US20120324573A1 (en) Method for determining whether or not specific network session is under denial-of-service attack and method for the same
CN103795632A (en) Data message transmission method, related equipment and system
CN109756475B (en) Data transmission method and device in unidirectional network
US20080256632A1 (en) Apparatus and method for detection of a denial of service attack on an internet server
CN115499230A (en) Network attack detection method and device, equipment and storage medium
CN116232690A (en) DDOS attack resistance method and device, intelligent network card, medium and product
KR20130022089A (en) Method for releasing tcp connections against distributed denial of service attacks and apparatus for the same
US7672239B1 (en) System and method for conducting fast offloading of a connection onto a network interface card
US20060282537A1 (en) System and method of responding to a full TCP queue
CN114697088A (en) Method and device for determining network attack and electronic equipment
CN1906884A (en) Preventing network data injection attacks
CN114124489B (en) Method, cleaning device, equipment and medium for preventing flow attack
CN113179247B (en) Denial of service attack protection method, electronic device and storage medium
JP7363503B2 (en) Information processing device, information processing method, and information processing system
US11683327B2 (en) Demand management of sender of network traffic flow
CN117768130A (en) Attack defense method and device
CN115694993A (en) Network attack identification method and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination