CN101123492A - Method and device for detecting scanning attack - Google Patents
Method and device for detecting scanning attack Download PDFInfo
- Publication number
- CN101123492A CN101123492A CNA2007101214366A CN200710121436A CN101123492A CN 101123492 A CN101123492 A CN 101123492A CN A2007101214366 A CNA2007101214366 A CN A2007101214366A CN 200710121436 A CN200710121436 A CN 200710121436A CN 101123492 A CN101123492 A CN 101123492A
- Authority
- CN
- China
- Prior art keywords
- message
- list item
- dip
- sip
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
After some embodiments, the present invention discloses a method and a device for detecting scan attacks. The present invention parses the received message information and records the information of the destination port or the IP address in the message information; then the times, for which the destination port or the IP address are recorded in a scheduled time, are counted; and finally when the recorded times of the destination port or the IP address reach a predetermined threshold, then the present invention judges that a scan attack occurs. The device of the present invention comprises a first unit, which parses the received message information and records the destination port or the IP address, a second unit, which is used to count the times for which the destination port or the IP address are recorded in a scheduled time, and a third unit, which is used to judge that a scan attack occurs when the recorded times of the destination port or the IP address reach a predetermined threshold. In every technical scheme of embodiment, the present invention effectively detects scan attacks according to the times of the port or protocol attack in a scheduled time, thus reducing the false alarm rate and the realization difficulty of scan detection.
Description
Technical field
The present invention relates to a kind of method that detects scanning attack, particularly a kind of foundation is monitored the method that number of times of attack detects scanning attack within a certain period of time; The invention still further relates to a kind of equipment that detects scanning attack, particularly a kind of foundation is monitored the equipment that number of times of attack detects scanning attack within a certain period of time, belongs to the network security technology field.
Background technology
The purpose of scanning attack be seek can successful attack service; Scanning attack is a kind of network detection technology of using always of hacker or other assailants normally, comprise Internet protocol (Internet Protocol, hereinafter to be referred as: IP) address scan (IP-Sweep) and TCP (Port-scan) are two kinds.
The purpose of IP-Sweep is the mobile host computers in the detection network.The method of attacking is: send the message that a large amount of target ip address change, in the hope of obtain the IP address of mobile host computers from the message of responding.
The purpose of Port-scan is to obtain open which service of mobile host computers.The method of attacking generally is to send transmission control protocol (the Transfer Control Protocol that a large amount of ports change to object of attack, hereinafter to be referred as: TCP)/User Datagram Protoco (UDP) (User Datagram Protocol, hereinafter to be referred as: UDP) message, in the hope of from the message of responding, obtaining the open service of mobile host computers.Aforesaid back message using is corresponding to different attack messages, for example: if attack message is the TCP message, then responding then is to reset/syn ack (Reset/Synchronization ACK, abbreviation: message RST/SYN ACK); If attack message is the UDP message, then back message using then is that (Internet ControlMessages Protocol is hereinafter to be referred as ICMP) the unreachable message of port for Internet Control Message Protocol.
The situation of responding the unreachable message of ICMP port is roughly as follows: when a computer is received the UDP message, and the destination interface of this UDP message does not use on this computer, then this computer can be responded the unreachable message of ICMP port, preceding 64 bytes of carrying original message in this and the unreachable message of ICMP port.
The situation of responding the unreachable message of ICMP agreement then is: when a computer receives that one is not when being the message of Transmission Control Protocol or udp protocol, and the agreement of this message is not supported on this computer, this computer then can be responded the unreachable message of ICMP agreement, carries preceding 64 bytes of original message in the unreachable message of this ICMP agreement.
Respond the TCP sequence number and be the situation of 0 RST message: when a computer receives that TCP is synchronously during (TCPSYN) message, and the destination interface of this TCP message does not use on this computer, then can respond TCP (TCP RST) message that resets, the sequence number of this TCP message is 0.
The prevention method of IP scanning is statistics source IP initiates a speed from connection to the various objectives address.The speed of initiating to connect is then by obtaining by sampling within a certain period of time; That is: in the IP statistical items of source in the current sampling time section of record this source IP initiate purpose of connecting address change number, in aforesaid sampling time section, number reaches a preset threshold if this source IP initiates the purpose of connecting address change, then attack has taken place in sign, after this, remove the IP address of record in this sampling time section, reset sampling zero-time and/or sampling period; If in the new sampling period, this source IP initiates purpose of connecting address change number and does not reach aforesaid threshold value, also removes the IP address of record.
The prevention method of TCP is: the speed that statistics source IP connects to the different port initiation, and the speed of initiating to connect is then by obtaining by sampling within a certain period of time; That is: in the IP statistical items of source in the current sampling time section of record this source IP initiate the purpose of connecting port and change number, in aforesaid sampling time section, number reaches a preset threshold value if this source IP initiates the variation of purpose of connecting port, then attack has taken place in sign, after this, remove the port numbers of record in this sampling time section, reset sampling zero-time and/or sampling period; If in the new sampling period, this source I P initiates purpose of connecting port variation number and does not reach aforesaid threshold value, also removes the port numbers of record.
After attacking generation, source address is added into blacklist, and the new connection of initiating from this address will be dropped.But aforementioned existing attack detection method exists following shortcoming:
When the assailant utilizes many computers to carry out scanning attack, adopt above-mentioned method just can't check out; Because existing monitoring method utilization is the mode of speed statistics, therefore, the probability of have wrong report, failing to report is bigger; That is: after the assailant turns down the speed of scanning, use aforesaid detection method just to detect not come out; Have again to be exactly, because time precision is had relatively high expectations, and need safeguard each session information, so realize that the complexity of preceding method is higher.
Summary of the invention
First aspect of the present invention is to provide a kind of method that detects scanning attack by some embodiment, it detects scanning attack effectively according to the number of times of port or protocol attack within the predetermined time, thereby the reduction rate of false alarm reduces the realization difficulty that scanning detects.
Second aspect of the present invention is to provide a kind of equipment that detects scanning attack by other embodiment, it detects scanning attack effectively according to the number of times of port or protocol attack within the predetermined time, thereby the reduction rate of false alarm reduces the realization difficulty that scanning detects.
Some embodiment of first aspect of the present invention provide following technical scheme: at first, resolve the message information of receiving, and write down destination interface or tcp source port in this message information; Then, add up the number of times that aforementioned destination interface or tcp source port are recorded within the predetermined time; Judge when the number of times that is recorded when described destination interface or tcp source port reaches predetermined threshold value and be subjected to scanning attack.
The aforesaid embodiment of the present invention judges whether to run into scanning attack according to the number of times that destination interface or tcp source port are recorded within the predetermined time.Specifically: whether it judges it just at the udp port scanning attack according to the inaccessible message number of ICMP port received, perhaps judges whether to suffer the tcp port scanning attack according to the sequence number of receiving for the TCP RST message number of " 0 ".Therefore, compare, can reflect the result of detection more exactly with the existing technology that detects scanning attack, its on specific implementation also than being easier to.
The other embodiment of first aspect of the present invention also provides following technical scheme: at first, resolve the message information of receiving, and write down the DIP in this message information; Then, add up the number of times that this DIP is recorded within the predetermined time; Judge when the number of times that is recorded as described DIP reaches predetermined threshold value and be subjected to scanning attack.
The other embodiment of the aforementioned first aspect of the present invention judges whether to run into scanning attack according to the number of times that DIP in certain network segment in the message is recorded within the predetermined time, specifically: its according to receive that the ICMP port is unreachable, the unreachable message of agreement and sequence number judge for the TCP RST message number of " 0 " whether the purpose zone network segment attacked by address scan.Therefore, compare, can reflect the result of detection more exactly, also reduced difficulty on the specific implementation with the existing technology that detects scanning attack.
Some embodiment of second aspect of the present invention provide the technical scheme of following equipment: this equipment comprises: be used to resolve the message information of receiving, and write down the destination interface in this message information or the first module of tcp source port; Be used to add up Unit second that destination interface or tcp source port are recorded number of times within the predetermined time; And be used for when the number of times that described destination interface or tcp source port are recorded reaches predetermined threshold value, judging the Unit the 3rd that is subjected to scanning attack.
The equipment of second aspect of the present invention judges whether to run into scanning attack according to the number of times that destination interface or tcp source port are recorded within the predetermined time, compare with the existing technology that detects scanning attack, the result that can reflect detection more exactly, its on specific implementation also than being easier to.
Other embodiment of second aspect of the present invention also provide the technical scheme of following equipment: this equipment comprises: be used to resolve the message information of receiving, and write down first parts of the DIP address in the aforementioned message information; Be used to add up second parts of the number of times that this DIP is recorded within the predetermined time; Be used for when the number of times that DIP is recorded reaches predetermined threshold value, judging the 3rd parts that are subjected to scanning attack.
Other equipment of the aforementioned second aspect of the present invention judges whether to run into scanning attack according to the number of times that DIP in certain network segment in the message is recorded within the predetermined time, compare with the existing equipment that detects scanning attack, can obtain the result that detects more exactly, also reduce difficulty on the specific implementation.
In a word, each embodiment of the aforementioned various aspects of the present invention has following advantage:
1, the scope that needs protection can be set effectively, can be a network segment, also can be a main frame;
2, owing to the message of checking has lacked, and do not need maintain sessions information, therefore, on performance, more have superiority;
3, more simpler than prior art on the implementation method, the cost of realization is low;
4, can check and utilize multiple pc to initiate the behavior of scanning attack that the validity of detection is higher.
Below by concrete execution mode, content of the present invention is described in further detail.
Description of drawings
Fig. 1 is the schematic flow sheet of first embodiment of first aspect of the present invention;
Fig. 2 is the schematic flow sheet of second embodiment in first aspect of the present invention;
Fig. 3 is the schematic flow sheet of the 3rd embodiment in first aspect of the present invention.
Fig. 4 carries out briefly bright for the form to unreachable message.
Embodiment
Referring to Fig. 4, before each embodiment of the present invention is described in detail in detail, be necessary to carry out briefly bright: usually, include each message content shown in Figure 4 in the unreachable message in ICMP address to the form of the unreachable message in ICMP address:
The IP heading, comprising: source IP address (SIP) and purpose IP address (DIP);
The icmp packet head, for unreachable message, its type (Type) value is 3; Code (Code) value is 2,3 o'clock, and presentation protocol is unreachable respectively, port is unreachable;
The initial IP heading, comprising: original source IP address (0_SIP), original purpose IP address (0_DIP) and original agreement (0_Protocol);
Initial IP UDP heading, comprising: the source port of initial IP message (0_SPORT) destination interface (0_DPORT).
The embodiment of first aspect:
Referring to Fig. 1, it is the example of the detection method that judges whether to exist the udp port scanning attack according to inaccessible message number of ICMP port of receiving.
At first, resolve the unreachable message of receiving of ICMP port, search the IP statistical form list item corresponding with this SIP according to the SIP in this message; If find, then write down the DIP of this message; If can not find the list item of this IP statistical form, then be that the SIP of this message creates the list item of an IP statistical form in the IP statistical form, and distribute a udp port formation and DIP for this list item.Need to prove: aforesaid IP statistical form is stored in and detects among the scanning attack equipment, and list item wherein comprises information such as SIP, DIP and corresponding port.When detecting,, just should be it and create one, so that carry out follow-up processing if do not have aforesaid list item in this IP statistical form.
Then, the initial IP message information that carries in the unreachable message of aforementioned ICMP port is resolved, therefrom obtain 0_DPORT, according to this 0_DPORT set is carried out in position corresponding in the port queue of corresponding list item in the IP statistical form again.In fact, position corresponding in the aforementioned port queue is a state information, and it can be represented with one " mode bit ".Therefore this " mode bit " carried out set, just expression detects a corresponding message.Correspondingly, if " mode bit " that be set is many more, mean that the number that detects corresponding message is also many more.
In addition, except coming to detect the number of corresponding message in the accumulative total certain hour, can also come accumulative total in other way by the mode of aforementioned what is called " set "; For example: a counter is set, when detecting aforementioned corresponding message, just the numerical value in the counter is added up, equally also can obtain to detect in the accumulative total certain hour effect of the number of corresponding message.In addition may also have other more bulk billing systems, not repeat them here, one of ordinary skill in the art can realize the aforesaid accumulative total or the work that adds up according to its technological means of knowing fully.
In a preset time section, the set quantity that writes down in the aforementioned port queue is added up, just can obtain the frequency of message.And when this quantity reaches a prior preset threshold, that is to say: the frequency that obtains message reaches a limit value, show to detect the udp port scanning attack that at this moment, the DIP that is write down in the list item of aforementioned IP statistical form is exactly the IP address of initiating scanning attack.
Foregoing DIP can be at statistics, record simultaneously during set, also record not, and the benefit of record is further to use this DIP information in follow-up processing.
After detecting aforesaid scanning attack, it is necessary alarming; The mode of alarm can realize by the outputting alarm daily record, perhaps sends relevant alarm information.Concrete alarm mode, one of ordinary skill in the art can be realized according to the various technological know-hows of its grasp fully, are not repeated them here.
After detecting aforesaid scanning attack, further the corresponding list item of this IP statistical form of deletion is perhaps removed " mode bit " of set in this list item, detects for follow-up continuation.
After detecting aforesaid scanning attack, the DIP of aforementioned record can also be added in the blacklist, be beneficial to the attack of safety means such as fire compartment wall shielding from this DIP address.
If when in the time of a setting, not receiving the unreachable message of aforementioned ICMP port, illustrate not to be subjected to scanning attack, at this moment also need to delete the corresponding list item of aforementioned IP statistical form, perhaps " mode bit " of set in this list item removed.
In addition, for faster, detect attack more accurately, also can search corresponding list item in the IP statistical form according to aforementioned SIP and DIP.Promptly use a SIP and the corresponding port queue of DIP.
Utilize aforesaid method, owing to be that the message that is sent by attack IP address device is detected, and the quantity of attack message added up, and no matter attack from where, therefore, not only can detect the situation that the assailant utilizes an equipment to attack, more can detect and utilize multiple devices to carry out the behavior of Port Scan Attacks, even attack from a plurality of IP address, also can use above-mentioned method to detect, therefore the validity that detects is apparently higher than prior art.In addition, owing to only detect by the returned packet of object of attack, the realization complexity of aforementioned each the concrete scheme of the present invention is lower.
Other embodiment of first aspect:
Referring to Fig. 2, it is for judging whether to suffer the example of the detection method of tcp port scanning attack for the TCP RST message number of " 0 " according to sequence number of receiving.
At first, resolve the TCP RST message of receiving,, then search the IP statistical form list item corresponding,, then write down the DIP of this message if find with this SIP according to the SIP in this message if the sequence number of this message is " 0 "; If can not find the list item of this IP statistical form, then be that the SIP of this message creates the list item of an IP statistical form in the IP statistical form, and give its distribution of this list item a tcp port formation, and write down the DIP of this message.Need to prove: aforesaid IP statistical form is stored in and detects among the scanning attack equipment, and list item wherein comprises information such as SIP, DIP and corresponding port.When detecting,, just should be it and create one, so that carry out follow-up processing if do not have aforesaid list item in this IP statistical form.
Then, obtain the tcp source port of this message, and set is carried out in position corresponding in the port queue of the corresponding list item of IP statistical form.Position corresponding in the aforementioned port queue is a state information, and it can be represented with one " mode bit ".Therefore this " mode bit " carried out set, just expression detects a corresponding message.Correspondingly, if " mode bit " that be set is many more, mean that the number that detects corresponding message is also many more.
In a preset time section, the set quantity that writes down in the aforementioned port queue is added up, just can obtain to receive the frequency of message.And when this quantity reaches a prior preset threshold, that is to say: the frequency that obtains message reaches a limit value, show to detect Port Scan Attacks that at this moment, the DIP that is write down in the list item of aforementioned IP statistical form is exactly the IP address of initiating the main frame of scanning attack.
Foregoing DIP can be at statistics, record simultaneously during set, also record not, and the benefit of record is further to use this DIP information in follow-up processing.
After detecting aforesaid scanning attack, it is necessary alarming; The mode of alarm can realize by the outputting alarm daily record, perhaps sends relevant alarm information.Concrete alarm mode, one of ordinary skill in the art can be realized according to the various technological know-hows of its grasp fully, are not repeated them here.
After detecting aforesaid scanning attack, further the corresponding list item of this IP statistical form of deletion is perhaps removed " mode bit " of set in this list item, detects for follow-up continuation.
After detecting aforesaid scanning attack, the DIP of aforementioned record can also be added in the blacklist, be beneficial to the attack of safety means such as fire compartment wall shielding from this DIP address.
If in the time of a setting, do not receive when aforementioned sequence number is the TCP RST message of " 0 ", illustrate not to be subjected to scanning attack, at this moment also need to delete the corresponding list item of aforementioned IP statistical form, perhaps " mode bit " of set in this list item removed.
In addition, for faster, detect attack more accurately, also can search corresponding list item in the IP statistical form according to aforementioned SIP and DIP.Promptly use a SIP and a DIP corresponding to a port queue.
Utilize aforesaid method, owing to be that the message that is sent by attack IP address device is detected, and the quantity of attack message added up, and no matter attack from where, therefore, not only can detect the situation that the assailant utilizes an equipment to attack, more can detect and utilize multiple devices to carry out the behavior of Port Scan Attacks, even attack from a plurality of IP address, also can use above-mentioned method to detect, therefore the validity that detects is apparently higher than prior art.In addition, owing to only detect by the returned packet of object of attack, the realization complexity of aforementioned each the concrete scheme of the present invention is lower.
The other embodiment of first aspect present invention:
Detection for the IP address scan is attacked exist certain difference with aforementioned for TCP embodiment, but the core of its technical scheme still is within the predetermined time the attack message number to be added up; Specific embodiment is as follows:
Referring to Fig. 3, when receiving that the unreachable message of ICMP port, the unreachable message of agreement or sequence number are the TCP RST message of " 0 ", SIP according to message searches the IP network section statistical form list item corresponding with this SIP, DIP with message records in the aforementioned IP network section statistical form list item corresponding with this SIP then, and this DIP in this list item address queue is carried out set in pairing position.Identical with aforementioned each embodiment is: when can not find the corresponding list item of IP network section statistical form and this SIP, then create a list item that IP network section statistical form is corresponding with this SIP, and for this list item distributes an address queue, so that carry out follow-up processing.
The pairing position of this DIP equally also is a state information in aforementioned this list item address queue, and it can be represented with one " mode bit ".Therefore this " mode bit " carried out set, just expression detects a corresponding message.Correspondingly, if " mode bit " that be set is many more, mean that the number that detects corresponding message is also many more.
In a preset time section, the set quantity that writes down in the aforementioned addresses formation is added up, just can obtain to receive the frequency of message.When the position number that is set in the formation of address reaches threshold value, that is to say: the frequency that obtains message reaches a limit value, think that then so-called address scan has taken place to be attacked, accordingly, the IP address that aforementioned IP network section statistical form is write down is exactly the IP address of main frame of launching a offensive.
After detecting attack, it is necessary alarming, and the mode of alarm can realize by the outputting alarm daily record, perhaps sends relevant alarm information.Concrete alarm mode, one of ordinary skill in the art can be realized according to the various technological know-hows of its grasp fully, are not repeated them here.
After detecting aforesaid address scan attack, further the corresponding list item of this IP statistical form of deletion is perhaps removed " mode bit " of set in this list item, for follow-up continuation detection.
After detecting aforesaid scanning attack, the IP address of the attack main frame of aforementioned record can also be added in the blacklist, be beneficial to the attack of safety means shielding such as fire compartment wall from this IP address.
In addition, for faster, detect attack more accurately, also can search corresponding list item in the IP statistical form according to aforementioned SIP and DIP.Promptly use a SIP and a DIP corresponding to a port queue.
Utilize above-mentioned method, owing to be that the message that is sent by attack IP address device is detected, and the quantity of attack message added up, and no matter attack from where, therefore, not only can detect the situation that the assailant utilizes an equipment to attack, more can detect and utilize multiple devices to carry out the behavior that address scan is attacked, even attack from a plurality of IP address, also can use above-mentioned method to detect, therefore the validity that detects is apparently higher than prior art.In addition, owing to only detect by the returned packet of object of attack, the realization complexity of aforementioned each the concrete scheme of the present invention is lower.
Based on each above-mentioned embodiment, one of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as static memory (ROM), dynamic memory (RAM), magnetic disc or CD.
Some embodiment of second aspect present invention:
Some embodiment of second aspect present invention provide following a kind of equipment that detects scanning attack, and this equipment comprises:
First module is used to resolve the message information of receiving, and writes down destination interface or tcp source port in the aforementioned message information; This first module specifically comprises: the module that is used for the storing IP statistical form, be used to resolve the module of unreachable message of ICMP port or TCP RST message, be used for SIP or SIP and DIP according to unreachable message of ICMP port or TCP RST message, visit is used for the module of storing IP statistical form, and the module of in the IP statistical form, searching corresponding list item, and be used for according to SIP, to the module of corresponding state information set in the IP statistical form; This state information is corresponding to list item middle port formation corresponding target port.Create this list item during for corresponding list item in can not find the IP statistical form, and set is carried out in the position in the corresponding list item, perhaps write down relevant SIP, DIP, in this first module, can also be provided for safeguarding the module of IP statistical form; This module that is used to safeguard the IP statistical form is created this corresponding list item according to SIP or SIP and DIP, and is that this corresponding list item distributes udp port formation and DIP.
This equipment also comprises: the Unit the 3rd that is used to add up Unit second of the number of times that destination interface or tcp source port be recorded within the predetermined time and is used for alarming when the number of times that destination interface or tcp source port are recorded reaches predetermined threshold value.
Need to prove: when its function is realized in above-mentioned each unit, the method for some embodiment of employing and aforementioned first aspect present invention, operating process such as its concrete analytic message, set do not repeat them here.
Other embodiment of second aspect present invention provide following a kind of equipment that detects scanning attack, and this equipment comprises:
First parts are used to resolve the message information of receiving, and the DIP address in the recorded message information; These first parts specifically comprise: the module that is used for storing IP network segment statistical form, be used for according to the unreachable message of ICMP port, the unreachable message of agreement or sequence number SIP or SIP and DIP for the TCP RST message of " 0 ", the module of in IP network section statistical form, searching corresponding list item, be used for the module to the corresponding state information set of IP network section statistical form, this state information is corresponding to an address of IP address queue in the list item.Create this list item during for corresponding list item in can not find IP network section statistical form, and set is carried out in the position in the corresponding list item, perhaps write down relevant SIP, DIP, in these first parts, can also be provided for safeguarding the module of IP network section statistical form; This module that is used to safeguard IP network section statistical form is created this corresponding list item according to SIP or SIP and DIP, and is this corresponding list item distributing IP address queue.
This equipment also comprises: be used to add up second parts of the number of times that DIP is recorded within the predetermined time, and the 3rd parts that are used for when the number of times that DIP is recorded reaches predetermined threshold value, alarming.
Need to prove: when above-mentioned each parts are realized its function, the method for some embodiment of employing and aforementioned first aspect present invention, operating process such as its concrete analytic message, set do not repeat them here.
It should be noted that at last: above each embodiment is only in order to technical scheme of the present invention to be described but not limit the invention, although with reference to above-mentioned each embodiment main technical schemes of the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment on the technical scheme basis of aforementioned each embodiment of the present invention or be equal to replacement; And these modifications or be equal to the spirit and scope that replacement does not break away from the technical scheme that each embodiment of the present invention disclosed.
Claims (16)
1. a method that detects scanning attack is characterized in that, comprising:
The message information that parsing is received, and destination interface in the recorded message information or tcp source port information;
Add up the number of times sum that described various objectives port or different tcp source ports are recorded within the predetermined time;
When the number of times sum that is recorded when described destination interface or tcp source port reaches predetermined threshold value, judge to be subjected to scanning attack.
2. method according to claim 1 is characterized in that: the message information that described parsing is received, and the destination interface information that writes down in the described message information specifically comprises:
The unreachable message of ICMP port that parsing is received;
According to the outer SIP in the unreachable message of described ICMP port, perhaps SIP and DIP search corresponding list item in the IP statistical form;
According to the destination interface information in the initial IP message information that carries in the unreachable message of described ICMP port, to corresponding state information set in the described IP statistical form, this state information is corresponding to described list item middle port formation corresponding target port.
3. method according to claim 2 is characterized in that, also comprises: when searching the list item less than correspondence in the IP statistical form, create this corresponding list item according to described SIP or SIP and DIP, and be that this corresponding list item distributes udp port formation and DIP.
4. method according to claim 1 is characterized in that: the message information that described parsing is received, and the tcp source port that writes down in the described message information specifically comprises:
The TCP RST message that parsing is received, and when the sequence number of described TCP RST message was " 0 ", according to the SIP in the described TCP RST message, perhaps SIP and DIP searched corresponding list item in the IP statistical form;
According to the tcp source port in the described TCP RST message, to corresponding state information set in the described IP statistical form, this state information is corresponding to the corresponding tcp source port of described list item middle port formation.
5. method according to claim 4 is characterized in that, also comprises: when searching the list item less than correspondence in the IP statistical form, create this corresponding list item according to described SIP or SIP and DIP, and be this corresponding list item distribution T CP port queue and DIP.
6. according to claim 2,3,4 or 5 described methods, it is characterized in that: the number of times that the described destination interface of described statistics is recorded within the predetermined time specifically is; Add up the number of the corresponding state information that is set in the described IP statistical form within the predetermined time.
7. an equipment that detects scanning attack is characterized in that, comprising:
First module is used to resolve the message information of receiving, and writes down destination interface or tcp source port information in the described message information;
Unit second is used to add up the number of times sum that described different destination interface or tcp source port are recorded within the predetermined time;
Unit the 3rd is used for judging when the number of times sum that described destination interface or tcp source port are recorded reaches predetermined threshold value being subjected to scanning attack.
8. equipment according to claim 7 is characterized in that, described first module specifically comprises:
The module that is used for the storing IP statistical form;
Be used to resolve the module of unreachable message of ICMP port or TCP RST message;
Be used for SIP or SIP and DIP, visit the described module that is used for the storing IP statistical form according to unreachable message of described ICMP port or TCP RST message, and the module of in the IP statistical form, searching corresponding list item;
Be used for according to described SIP, to the module of corresponding state information set in the described IP statistical form; This state information is corresponding to described list item middle port formation corresponding target port.
9. according to claim 7 or 8 described equipment, it is characterized in that described first module also comprises: the module that is used to safeguard the IP statistical form; The described module that is used to safeguard the IP statistical form is created this corresponding list item according to described SIP or SIP and DIP, and is that this corresponding list item distributes udp port formation and DIP.
10. a method that detects scanning attack is characterized in that, comprising:
The message information that parsing is received, and write down DIP in the described message information;
Add up the number of times sum that described different DIP is recorded within the predetermined time;
When the number of times sum that is recorded as described DIP reaches predetermined threshold value, judge to be subjected to scanning attack.
11. method according to claim 10 is characterized in that: the message information that described parsing is received, and the DIP that writes down in the described message information specifically comprises:
Or/and unreachable message of agreement or sequence number are SIP or SIP and the DIP in the TCPRST message of " 0 ", in IP network section statistical form, search corresponding list item according to the unreachable message of ICMP port;
To corresponding state information set in the described IP network section statistical form, this state information is corresponding to an address of IP address queue in the described list item.
12. method according to claim 11 is characterized in that, also comprises: when in IP network section statistical form, searching the list item less than correspondence, create this corresponding list item according to described SIP or SIP and DIP, and be this corresponding list item distributing IP address queue.
13. according to claim 10,11 or 12 described methods, it is characterized in that: the number of times sum that the described different purpose IP of described statistics is recorded within the predetermined time specifically is; Add up the number of the corresponding state information that is set in the described IP network section statistical form within the predetermined time.
14. an equipment that detects scanning attack is characterized in that, comprising:
First parts are used to resolve the message information of receiving, and write down the DIP address in the described message information;
Second parts are used to add up the number of times sum that described different DIP is recorded within the predetermined time;
The 3rd parts are used for when the number of times that described DIP is recorded reaches predetermined threshold value, judge to be subjected to scanning attack.
15. equipment according to claim 14 is characterized in that: described first parts specifically comprise:
The module that is used for storing IP network segment statistical form;
Be used for according to the unreachable message of ICMP port, the unreachable message of agreement or sequence number SIP or SIP and DIP, the module of in described IP network section statistical form, searching corresponding list item for the TCPRST message of " 0 ";
Be used for the module to the corresponding state information set of described IP network section statistical form, this state information is corresponding to an address of IP address queue in the described list item.
16. equipment according to claim 15 is characterized in that, described first parts also comprise: the module that is used to safeguard the IP statistical form; The described module that is used to safeguard the IP statistical form is created this corresponding list item according to described SIP or SIP and DIP, and is the module of this corresponding list item distributing IP address queue.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101214366A CN101123492B (en) | 2007-09-06 | 2007-09-06 | Method and device for detecting scanning attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101214366A CN101123492B (en) | 2007-09-06 | 2007-09-06 | Method and device for detecting scanning attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101123492A true CN101123492A (en) | 2008-02-13 |
| CN101123492B CN101123492B (en) | 2012-01-18 |
Family
ID=39085682
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007101214366A Expired - Fee Related CN101123492B (en) | 2007-09-06 | 2007-09-06 | Method and device for detecting scanning attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101123492B (en) |
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101917450A (en) * | 2010-08-31 | 2010-12-15 | 华为技术有限公司 | Message forwarding method for preventing network attack and gateway |
| CN101989985A (en) * | 2010-10-09 | 2011-03-23 | 北京工商大学 | Hardware-based core router TCP connection sate maintenance module design scheme |
| CN101902349B (en) * | 2009-05-27 | 2012-10-31 | 北京启明星辰信息技术股份有限公司 | Method and system for detecting scanning behaviors of ports |
| CN102868669A (en) * | 2011-07-08 | 2013-01-09 | 上海寰雷信息技术有限公司 | Protection method and device aiming to attacks continuously changing prefix domain name |
| CN103561048A (en) * | 2013-09-02 | 2014-02-05 | 北京东土科技股份有限公司 | Method for determining TCP port scanning and device thereof |
| CN103905373A (en) * | 2012-12-24 | 2014-07-02 | 珠海市君天电子科技有限公司 | Method and device for intercepting network attack based on cloud |
| CN103905406A (en) * | 2012-12-28 | 2014-07-02 | 中国移动通信集团公司 | Failed firewall policy detection method and device |
| CN104038494A (en) * | 2014-06-11 | 2014-09-10 | 普联技术有限公司 | Method for recording attack source and exchanger |
| WO2015027523A1 (en) * | 2013-09-02 | 2015-03-05 | 北京东土科技股份有限公司 | Method and device for determining tcp port scanning |
| CN105656848A (en) * | 2014-11-13 | 2016-06-08 | 腾讯数码(深圳)有限公司 | Method and related device for detecting quick attack of application layer |
| CN107800724A (en) * | 2017-12-08 | 2018-03-13 | 北京百度网讯科技有限公司 | Cloud main frame anti-crack method, system and processing equipment |
| WO2018103364A1 (en) * | 2016-12-09 | 2018-06-14 | 腾讯科技(深圳)有限公司 | Defense method and device against attack, and computer readable storage medium |
| CN109309679A (en) * | 2018-09-30 | 2019-02-05 | 国网湖南省电力有限公司 | A kind of Network scan detection method and detection system based on TCP flow state |
| CN109327426A (en) * | 2018-01-11 | 2019-02-12 | 白令海 | A kind of firewall attack defense method |
| CN109598128A (en) * | 2018-12-11 | 2019-04-09 | 郑州云海信息技术有限公司 | A kind of method and device of scanography |
| CN110099060A (en) * | 2019-05-07 | 2019-08-06 | 瑞森网安(福建)信息科技有限公司 | A kind of network information security guard method and system |
| CN110266668A (en) * | 2019-06-06 | 2019-09-20 | 新华三信息安全技术有限公司 | A kind of detection method and device of port scan behavior |
| CN111049780A (en) * | 2018-10-12 | 2020-04-21 | 北京奇虎科技有限公司 | Network attack detection method, device, equipment and storage medium |
| CN112751862A (en) * | 2020-12-30 | 2021-05-04 | 杭州迪普科技股份有限公司 | Port scanning attack detection method and device and electronic equipment |
| CN113132339A (en) * | 2020-01-15 | 2021-07-16 | 阿里巴巴集团控股有限公司 | Flow monitoring method and device and electronic equipment |
| CN113206828A (en) * | 2021-03-30 | 2021-08-03 | 新华三信息安全技术有限公司 | Method and device for analyzing security of network device |
| CN113904853A (en) * | 2021-10-13 | 2022-01-07 | 百度在线网络技术(北京)有限公司 | Intrusion detection method and device for network system, electronic equipment and medium |
| CN114285654A (en) * | 2021-12-27 | 2022-04-05 | 北京天融信网络安全技术有限公司 | Attack detection method and device |
| CN114760216A (en) * | 2022-04-12 | 2022-07-15 | 国家计算机网络与信息安全管理中心 | Scanning detection event determination method and device and electronic equipment |
| WO2022267490A1 (en) * | 2021-06-23 | 2022-12-29 | 华为技术有限公司 | Attack identification method, apparatus and system, and computer readable storage medium |
| CN116055171A (en) * | 2023-01-10 | 2023-05-02 | 深圳崎点数据有限公司 | Firewall port management method and system |
| CN113904853B (en) * | 2021-10-13 | 2024-05-14 | 百度在线网络技术(北京)有限公司 | Intrusion detection method, device, electronic equipment and medium of network system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100369416C (en) * | 2005-05-09 | 2008-02-13 | 杭州华三通信技术有限公司 | Method for detecting flow attacking message characteristic of network equipment |
| CN100514921C (en) * | 2007-01-31 | 2009-07-15 | 华为技术有限公司 | Network flow abnormal detecting method and system |
-
2007
- 2007-09-06 CN CN2007101214366A patent/CN101123492B/en not_active Expired - Fee Related
Cited By (46)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101902349B (en) * | 2009-05-27 | 2012-10-31 | 北京启明星辰信息技术股份有限公司 | Method and system for detecting scanning behaviors of ports |
| WO2011110079A1 (en) * | 2010-08-31 | 2011-09-15 | 华为技术有限公司 | Message forwarding method for avoiding network attacks and gateway |
| CN101917450B (en) * | 2010-08-31 | 2013-08-07 | 华为技术有限公司 | Message forwarding method for preventing network attack and gateway |
| CN101917450A (en) * | 2010-08-31 | 2010-12-15 | 华为技术有限公司 | Message forwarding method for preventing network attack and gateway |
| CN101989985A (en) * | 2010-10-09 | 2011-03-23 | 北京工商大学 | Hardware-based core router TCP connection sate maintenance module design scheme |
| CN102868669B (en) * | 2011-07-08 | 2016-04-06 | 上海寰雷信息技术有限公司 | A kind of means of defence for constantly change prefix domain name attack and device |
| CN102868669A (en) * | 2011-07-08 | 2013-01-09 | 上海寰雷信息技术有限公司 | Protection method and device aiming to attacks continuously changing prefix domain name |
| CN103905373A (en) * | 2012-12-24 | 2014-07-02 | 珠海市君天电子科技有限公司 | Method and device for intercepting network attack based on cloud |
| CN103905373B (en) * | 2012-12-24 | 2018-02-16 | 珠海市君天电子科技有限公司 | Method and device for intercepting network attack based on cloud |
| CN103905406B (en) * | 2012-12-28 | 2017-09-12 | 中国移动通信集团公司 | A kind of detection method and device of the firewall policy that fails |
| CN103905406A (en) * | 2012-12-28 | 2014-07-02 | 中国移动通信集团公司 | Failed firewall policy detection method and device |
| WO2015027523A1 (en) * | 2013-09-02 | 2015-03-05 | 北京东土科技股份有限公司 | Method and device for determining tcp port scanning |
| CN103561048B (en) * | 2013-09-02 | 2016-08-31 | 北京东土科技股份有限公司 | A kind of method and device determining that tcp port scans |
| CN103561048A (en) * | 2013-09-02 | 2014-02-05 | 北京东土科技股份有限公司 | Method for determining TCP port scanning and device thereof |
| CN104038494A (en) * | 2014-06-11 | 2014-09-10 | 普联技术有限公司 | Method for recording attack source and exchanger |
| CN105656848B (en) * | 2014-11-13 | 2020-05-05 | 腾讯数码(深圳)有限公司 | Application layer rapid attack detection method and related device |
| CN105656848A (en) * | 2014-11-13 | 2016-06-08 | 腾讯数码(深圳)有限公司 | Method and related device for detecting quick attack of application layer |
| CN108616488B (en) * | 2016-12-09 | 2021-06-29 | 腾讯科技(深圳)有限公司 | Attack defense method and defense equipment |
| CN108616488A (en) * | 2016-12-09 | 2018-10-02 | 腾讯科技(深圳)有限公司 | A kind of defence method and defensive equipment of attack |
| WO2018103364A1 (en) * | 2016-12-09 | 2018-06-14 | 腾讯科技(深圳)有限公司 | Defense method and device against attack, and computer readable storage medium |
| US10834125B2 (en) | 2016-12-09 | 2020-11-10 | Tencent Technology (Shenzhen) Company Limited | Method for defending against attack, defense device, and computer readable storage medium |
| CN107800724A (en) * | 2017-12-08 | 2018-03-13 | 北京百度网讯科技有限公司 | Cloud main frame anti-crack method, system and processing equipment |
| US10944718B2 (en) | 2017-12-08 | 2021-03-09 | Beijing Baidu Netcom Science And Technology Co., Ltd. | Anti-cracking method and system for a cloud host, as well as terminal device |
| US11470043B2 (en) | 2017-12-08 | 2022-10-11 | Beijing Baidu Netcom Science And Technology Co., Ltd. | Anti-cracking method and system for a cloud host, as well as terminal device |
| CN109327426A (en) * | 2018-01-11 | 2019-02-12 | 白令海 | A kind of firewall attack defense method |
| CN109309679A (en) * | 2018-09-30 | 2019-02-05 | 国网湖南省电力有限公司 | A kind of Network scan detection method and detection system based on TCP flow state |
| CN109309679B (en) * | 2018-09-30 | 2020-10-20 | 国网湖南省电力有限公司 | Network scanning detection method and detection system based on TCP flow state |
| CN111049780B (en) * | 2018-10-12 | 2022-12-02 | 北京奇虎科技有限公司 | Network attack detection method, device, equipment and storage medium |
| CN111049780A (en) * | 2018-10-12 | 2020-04-21 | 北京奇虎科技有限公司 | Network attack detection method, device, equipment and storage medium |
| CN109598128A (en) * | 2018-12-11 | 2019-04-09 | 郑州云海信息技术有限公司 | A kind of method and device of scanography |
| CN110099060A (en) * | 2019-05-07 | 2019-08-06 | 瑞森网安(福建)信息科技有限公司 | A kind of network information security guard method and system |
| CN110266668A (en) * | 2019-06-06 | 2019-09-20 | 新华三信息安全技术有限公司 | A kind of detection method and device of port scan behavior |
| CN110266668B (en) * | 2019-06-06 | 2021-09-17 | 新华三信息安全技术有限公司 | Method and device for detecting port scanning behavior |
| CN113132339A (en) * | 2020-01-15 | 2021-07-16 | 阿里巴巴集团控股有限公司 | Flow monitoring method and device and electronic equipment |
| CN113132339B (en) * | 2020-01-15 | 2023-04-25 | 阿里巴巴集团控股有限公司 | Flow monitoring method and device and electronic equipment |
| CN112751862A (en) * | 2020-12-30 | 2021-05-04 | 杭州迪普科技股份有限公司 | Port scanning attack detection method and device and electronic equipment |
| CN113206828A (en) * | 2021-03-30 | 2021-08-03 | 新华三信息安全技术有限公司 | Method and device for analyzing security of network device |
| CN113206828B (en) * | 2021-03-30 | 2022-05-27 | 新华三信息安全技术有限公司 | Method and device for analyzing security of network device |
| WO2022267490A1 (en) * | 2021-06-23 | 2022-12-29 | 华为技术有限公司 | Attack identification method, apparatus and system, and computer readable storage medium |
| CN113904853A (en) * | 2021-10-13 | 2022-01-07 | 百度在线网络技术(北京)有限公司 | Intrusion detection method and device for network system, electronic equipment and medium |
| CN113904853B (en) * | 2021-10-13 | 2024-05-14 | 百度在线网络技术(北京)有限公司 | Intrusion detection method, device, electronic equipment and medium of network system |
| CN114285654A (en) * | 2021-12-27 | 2022-04-05 | 北京天融信网络安全技术有限公司 | Attack detection method and device |
| CN114760216A (en) * | 2022-04-12 | 2022-07-15 | 国家计算机网络与信息安全管理中心 | Scanning detection event determination method and device and electronic equipment |
| CN114760216B (en) * | 2022-04-12 | 2023-12-05 | 国家计算机网络与信息安全管理中心 | Method and device for determining scanning detection event and electronic equipment |
| CN116055171A (en) * | 2023-01-10 | 2023-05-02 | 深圳崎点数据有限公司 | Firewall port management method and system |
| CN116055171B (en) * | 2023-01-10 | 2023-11-10 | 深圳市非常聚成科技有限公司 | Firewall port management method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101123492B (en) | 2012-01-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101123492B (en) | Method and device for detecting scanning attack | |
| KR102039842B1 (en) | How to prevent network attacks, devices, and systems | |
| US8844034B2 (en) | Method and apparatus for detecting and defending against CC attack | |
| US20070245417A1 (en) | Malicious Attack Detection System and An Associated Method of Use | |
| CN101465855B (en) | Method and system for filtrating synchronous extensive aggression | |
| CN101707601B (en) | Invasion defence detection method and device and gateway equipment | |
| US11863570B2 (en) | Blockchain-based network security system and processing method | |
| CN101478387A (en) | Defense method, apparatus and system for hyper text transmission protocol attack | |
| US9973528B2 (en) | Two-stage hash based logic for application layer distributed denial of service (DDoS) attack attribution | |
| US11736518B2 (en) | Reducing the impact of border gateway protocol (BGP) hijacks | |
| CN110740144B (en) | Method, device, equipment and storage medium for determining attack target | |
| CN106790299B (en) | Wireless attack defense method and device applied to wireless Access Point (AP) | |
| US7602789B2 (en) | Low overhead method to detect new connection rate for network traffic | |
| CN103532943A (en) | Web application firewall device and asynchronous security protection log processing method | |
| CN109561111A (en) | A kind of determination method and device of attack source | |
| CN103347031A (en) | Method and equipment for preventing address resolution protocol (ARP) message attack | |
| US20150215333A1 (en) | Network filtering apparatus and filtering method | |
| CN108712365B (en) | DDoS attack event detection method and system based on flow log | |
| KR100687736B1 (en) | Apparatus for recognizing abnormal and destructive traffic in network and Method thereof | |
| JPWO2015011827A1 (en) | Information processing apparatus, filtering system, filtering method, and filtering program | |
| CN114003904B (en) | Information sharing method, device, computer equipment and storage medium | |
| CN101707535B (en) | Method and device for detecting counterfeit network equipment | |
| CN103516703A (en) | Method and device for detecting data messages | |
| CN105635159B (en) | Method for blocking and system based on keyword | |
| CN115766201A (en) | Solution for rapidly blocking large number of IP addresses |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120118 Termination date: 20200906 |