CN101378395B - Method and apparatus for preventing reject access aggression - Google Patents
Method and apparatus for preventing reject access aggression Download PDFInfo
- Publication number
- CN101378395B CN101378395B CN2008101703136A CN200810170313A CN101378395B CN 101378395 B CN101378395 B CN 101378395B CN 2008101703136 A CN2008101703136 A CN 2008101703136A CN 200810170313 A CN200810170313 A CN 200810170313A CN 101378395 B CN101378395 B CN 101378395B
- Authority
- CN
- China
- Prior art keywords
- address
- trusted
- tcp port
- network equipment
- address table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 230000016571 aggressive behavior Effects 0.000 title description 2
- 238000004891 communication Methods 0.000 claims abstract description 16
- 230000008878 coupling Effects 0.000 claims description 16
- 238000010168 coupling process Methods 0.000 claims description 16
- 238000005859 coupling reaction Methods 0.000 claims description 16
- 230000000295 complement effect Effects 0.000 claims description 2
- 238000012545 processing Methods 0.000 abstract description 2
- 238000012217 deletion Methods 0.000 description 16
- 230000037430 deletion Effects 0.000 description 16
- 230000008569 process Effects 0.000 description 14
- 230000005540 biological transmission Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 108700007698 Genetic Terminator Regions Proteins 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 235000014510 cooky Nutrition 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000007812 deficiency Effects 0.000 description 2
- 230000002950 deficient Effects 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 230000015556 catabolic process Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000011430 maximum method Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to the communication security field and provides a method and a device for preventing refusal access attack, aiming at solving the shortcomings of high cost and low accuracy of preventing SYN flood attack in the prior art. The method comprises the following steps: a believable IP address list is set in network equipment, which stores the believable IP address and a TCP port number; when a user initiates a connection request, the network equipment judges whether the target TCP port and the source IP address of the connection request are matched with the corresponding record in the believable IP address list, if so, the connection is allowed to be established, otherwise, the connection is refused to be established. The invention has the advantages of high reliability, low cost, and not being carried out on firewall, and the network equipment using the method has higher speed of processing connection compared with the method for preventing refusal access attack in the prior art.
Description
Technical field
The present invention relates to network field, particularly the network security access technique is a kind of method and device that prevents that denied access from attacking concretely.
Background technology
Continuous development along with network technology, it has brought increasing facility to people, people are also increasing to its dependence, but this fail safe and reliability to network has also been brought certain challenge, experience that network brought simultaneously easily, people have also begun more and more to pay close attention to the fail safe of network and reliability.
TCP almost has realization as a reliable host-host protocol on all network equipments, the Transmission Control Protocol that also is to use of people's www server of usually visiting transmits in addition.Just because of the popularity that it uses, hackers often reach by Denial of Service attack and destroy the TCP service that the network equipment provides, and the most frequently used TCP Denial of Service attack means of hackers are exactly synchronizing signal (SYN:synchronize) flood attack.
Set up a TCP under the normal condition and connect the action that to finish three-way handshake, stop a TCP connection and will pass through 4-Way Handshake.After the three-way handshake success, client and service end just can begin to have carried out the transmission of data.After 4-Way Handshake was finished, both sides connected disconnection, sign off.Be illustrated in figure 1 as in the prior art and set up and close the flow chart that a TCP is connected, comprise 7 steps.
Step 1, the client sends a TCP message segment 1 that has the SYN flag bit, and the port of Connection Service device is planned in expression, and the initial sequence number that shows this connection simultaneously is 101, and terminator sequence number is 101, the data byte in the message is 0.
Step 2, one of server response has the TCP message segment 2 of SYN and ACK flag bit, and initial sequence number is 200, and terminator sequence number is 200, and the data byte in the message is 0.Simultaneously, server has been confirmed the message segment 1 that the client sends, and promptly replys ACK102.
Step 3, the client sends the message segment 3 of a band ACK sign, confirms the message segment 2 that server sends, and promptly replys ACK201.So far, 3 message segments have been finished establishment of connection, i.e. three-way handshake process.
Step 4, the client sends one and has the TCP message segment 4 that FIN and ACK are masked as, and expression wishes to close this connection, follow-uply no longer sends data toward server.The homing sequence of message number is 102, and terminator sequence number is 102, and the data byte in the message is 0.The affirmation number that replies to server is the same for ACK201 and message segment 3, represents that the client does not receive the data that server sends in the meantime.
Step 5, the message segment 5 of one of server response band ACK sign, sequence number is 103, to the affirmation of the FIN of message segment 4.
Step 6, server send a message segment 6 that has FIN and ACK sign, and expression wishes to close this connection, and follow-up no longer past client sends data.The homing sequence of message number is 201, and terminator sequence number is 201, and the data byte in the message is 0.The affirmation number that replies to server is the same for ACK103 and message segment 5, represents that server is not received the data that the client sends in the meantime.
Step 7, the client sends the message segment 7 of a band ACK sign, and sequence number is 202, to the affirmation of the FIN of message segment 6.So far, message segment 4 to 7 has been finished closing of connecting, i.e. 4-Way Handshake process.
And at present modal in the TCP attack pattern be exactly the SYN flood attack, the assailant makes to be exhausted by attacker's resource (internal memory, cpu resource and the network bandwidth) by sending a large amount of TCP connection requests of forging.Because Transmission Control Protocol itself is not checked the legitimacy of connection request, so the SYN flood attack has utilized this defective of Transmission Control Protocol.Attack this person to sent a large amount of SYN messages by the attacker, need its processing after being received these connection requests by the attacker, to its response SYN+ACK message, because the assailant no longer confirms the message that victim sends, and Transmission Control Protocol provides reliability services, if in certain hour, can not receive attacker's affirmation message, the SYN+ACK message that sends before then being needed to retransmit once more by the attacker, and generally all need to retransmit repeatedly (total time of re-transmission is SYN Timeout), like this serious waste victim cpu resource and safeguard that these connect needed memory source.The SYN message that the assailant sends can source IP address, source port, any variation combination of message initial sequence number three.
On the network equipment two more common also to be to use maximum methods that prevents the SYN flood attack be to reduce SYN Timeout time and SYN Cookie, the former reaches the purpose of quick-release system resource by the re-transmission time that shortens the SYN message, but this method only is applicable to the not high situation of frequency of attacking; The latter, then think to attack, but this method can't solve the situation that assailant IP address changes always if receive the SYN message of same IP address at short notice by being the mode of a Cookie of IP distribution of a connection request.
Chinese patent publication number CN1822593; denomination of invention is " a kind of network safety protective method of resisting abnegation service aggression incident "; it has the process to TCP connection request legitimate verification; this scheme is used firewall box; with the protection of firewall box as ground floor; wherein, the effect of relaying fire compartment wall is to utilize firewall box to finish TCP ground three-way handshake with the user earlier, thus some Denial of Service attacks of filtering.The method replaces the network equipment to remove to handle the SYN flood attack of TCP the agency of fire compartment wall as a TCP service, and the TCP Agent is generally operational in application layer, and it also is limited handling half quantity that connects, and is easy to be broken; Simultaneously, because the TCP three-way handshake process has increased once agency, certainly will influence the speed that TCP connects like this; In addition, need the user need buy professional equipments such as fire compartment wall in on-premise network, will increase the cost of Virtual network operator like this, common SME users probably can't pay the expense of this costliness, this technology popularization comparison difficulty of getting up.If this technology receives once more that in special time port is consistent with IP, and not overtime packet, think that then this connection request is legal, add this IP address to legitimate ip address linkage record chained list.If port, the IP of SYN flood attack message recycle in the special time that this technology is thought, may cause the disabled user to be considered to validated user so, still there is certain risk in all these technology, can't accurately judge user's legitimacy.
In the introducing mode it is herein incorporated.
Summary of the invention
The object of the present invention is to provide a kind of method that prevents that denied access from attacking, be used for solving prior art and take precautions against attack cost height, and easily illegal attack is thought by mistake the deficiency of legal connection.
The present invention also aims to provide a kind of device that prevents that denied access from attacking, be used for solving the problem that prior art can't accurately be judged the legitimacy of connection, and can overcome the deficiency that prior art must be implemented on firewall box.
In order to solve above-mentioned existing issue, the embodiment of the invention provides a kind of method that prevents that denied access from attacking, it is characterized in that this method comprises, a trusted IP address table is set in the network equipment, described trusted IP address table stores IP trusty address and tcp port number; When the user initiates connection request, the described network equipment judge the purpose tcp port of this connection request and source IP address whether with described trusted IP address table in the respective record coupling, if coupling then allow to connect, otherwise refusal connects; Described trusted IP address table is the two-stage chained list, and described tcp port number is a first order chained list, and the IP address corresponding with described tcp port number is second level chained list; Perhaps described IP address is a first order chained list, and the tcp port number corresponding with described IP address is second level chained list.
According to described a kind of another the further aspect that prevents the denied access attack method of the embodiment of the invention, the described network equipment judge the purpose tcp port of this connection request and source IP address whether with described trusted IP address table in the step of respective record coupling comprise, earlier the data in the purpose tcp port in the described connection request or source IP address data and the first order chained list are complementary, again coupling source IP address or purpose tcp port number certificate in the second level chained list corresponding with described first order chained list.
According to described a kind of another the further aspect that prevents the denied access attack method of the embodiment of the invention, the described network equipment judge the purpose tcp port of this connection request and source IP address whether with described trusted IP address table in respective record coupling step before, also comprise according to the purpose tcp port of described connection request and judge the service of whether having opened this tcp port on the described network equipment, if opened then carry out above-mentioned coupling step, otherwise refusal connects.
According to described a kind of another the further aspect that prevents the denied access attack method of the embodiment of the invention, in the described refusal Connection Step, the described network terminal directly abandons described connection request message, perhaps returns to user terminal to connect the message that resets.
According to described a kind of another the further aspect that prevents the denied access attack method of the embodiment of the invention, the step that one trusted IP address table is set in the described network equipment comprises, the described network equipment disposes described trusted IP address and tcp port number automatically according to the information of adjacent network device in described trusted IP address table.
In order to solve above-mentioned existing issue, the embodiment of the invention also provides a kind of device that prevents that denied access from attacking, and comprises the communication unit of the network equipment, it is characterized in that this device also comprises, matching unit, refusal linkage unit, allow linkage unit, trusted IP address table; Wherein, described trusted IP address table internal memory contains IP address and the tcp port number that allows other network equipments of connecting with this network equipment; Described communication unit and user terminal communication, receive the connection request of user terminal, described matching unit judge the purpose tcp port of this connection request and source IP address whether with described trusted IP address table in the respective record coupling, if coupling then call allows linkage unit to set up being connected of the described network equipment and user terminal, refuse linkage unit and refuse being connected of the described network equipment and user terminal otherwise call; Described trusted IP address table has the two-stage chained list, and described tcp port number is a first order chained list, and the IP address corresponding with described tcp port number is second level chained list; Perhaps described IP address is a first order chained list, and the tcp port number corresponding with described IP address is second level chained list.
Attack a further aspect of device according to the described a kind of denied access that prevents of the embodiment of the invention, also comprise adding device and delete cells, be connected with trusted IP address table with described communication unit respectively, dispose trusted IP address and tcp port number in the described trusted IP address table by described adding device and delete cells.
Attack another further aspect of device according to the described a kind of denied access that prevents of the embodiment of the invention, also comprise automatic unit, according to that store on the described network equipment and information this network equipment adjacent network device, described trusted IP address of configuration and tcp port number in described trusted IP address table automatically.
Attack another further aspect of device according to the described a kind of denied access that prevents of the embodiment of the invention, described refusal linkage unit directly abandons described connection request message, perhaps returns to user terminal to connect the message that resets.
The beneficial effect of the embodiment of the invention is, the reliability height, and cost is low, need not implement on fire compartment wall, and the speed that the network equipment uses the inventive method to handle connection than the method for taking precautions against the denied access attack in the prior art improves.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, does not constitute limitation of the invention.In the accompanying drawings:
Figure 1 shows that in the prior art and to set up and close the flow chart that a TCP is connected;
Figure 2 shows that the trusted IP address table schematic diagram that first embodiment of the invention is set up;
Figure 3 shows that the trusted IP address table schematic diagram that second embodiment of the invention is set up;
Figure 4 shows that the present invention adds the embodiment flow chart of trusted IP address table;
Figure 5 shows that the present invention deletes the flow chart of first embodiment of trusted IP address table;
Figure 6 shows that the present invention deletes the flow chart of second embodiment of trusted IP address table;
Figure 7 shows that the present invention deletes the flow chart of the 3rd embodiment of trusted IP address table;
Figure 8 shows that the embodiment schematic diagram of the network equipment of the present invention by learning automatically;
Figure 9 shows that the embodiment flow chart the when network equipment of the present invention is connected with other network equipment;
Figure 10 shows that the structure drawing of device that prevents the TCP Denial of Service attack on the network equipment of the present invention.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer,, the present invention is described in further details below in conjunction with execution mode and accompanying drawing.At this, exemplary embodiment of the present invention and explanation thereof are used to explain the present invention, but not as a limitation of the invention.
The embodiment of the invention provides a kind of method and device that prevents that denied access from attacking.The present invention is described in detail below in conjunction with accompanying drawing.
Be illustrated in figure 2 as the trusted IP address table schematic diagram that first embodiment of the invention is set up, configuration trusted IP address table as shown in the figure on server in network or the trunking, IP address in this table all is aimed at certain serve port IP trusty address, each tcp port that provides on the network equipment is carried out the restriction of source IP address, as 23 ports of Telnet service, can on this port of equipment, dispose one group of trusted user's IP address that allows connection.179 ports as BGP, then can utilize neighbours' opening relationships of bgp protocol itself, system will add neighbours IP in the IP address table trusty automatically according to user configured neighbours, automatically neighbours IP is deleted from IP address table trusty in the time of the deletion neighbours.
Establishment and maintaining method that TCP trusty connects the IP address table have two kinds: a kind of user's of being manual configuration, another is the automatic study of the network equipment.Trusted IP address table adopts the organizational form of secondary chained list, and first order chained list is the service port number of TCP, and second level chained list is the trusted user's IP address above the tcp port number.
Be illustrated in figure 3 as the trusted IP address table schematic diagram that second embodiment of the invention is set up, this trusted IP address table as first order chained list, is a second level chained list with the TCP service port number of IP trusty address correspondence with IP trusty address.
Be illustrated in figure 4 as the embodiment flow chart that the present invention adds trusted IP address table, user terminal by the Internet set up with the network equipment be connected interpolation IP trusty address or tcp port in the trusted IP address table on this network equipment.IP address and corresponding tcp port number that the user terminal input will be added, IP represents the address IP trusty address, tcp port number is represented the serve port of TCP.
Comprise step 401, begin to add flow process.
Wherein, for network device management person, promptly can finish the interpolation of trusted IP address by simple configuration order of described user side input.
As preferred embodiment, trusted IP address table when user side adds the trusted IP address of a new tcp port, generates an one-level chain table record and a secondary chain table record as shown in Figure 2 in this trusted IP address table.If the user wants a plurality of trusted IP of configuration address on certain tcp port, then add the secondary chain table record of corresponding number in the one-level chain table record of this tcp port correspondence, as having a plurality of secondary chain table records on 23 serve ports among Fig. 2.The user also can add an IP address to a plurality of serve ports, is present in tcp port 23,80 as IP address 192.168.0.1 among Fig. 2, on 179 these three one-level chain table records.Similar methods also can be applied among as shown in Figure 3 the embodiment.
Be illustrated in figure 5 as the flow chart that the present invention deletes first embodiment of trusted IP address table, user terminal is set up and being connected of the network equipment by the Internet, deletion IP address in the trusted IP address table on this network equipment, described trusted IP address table is embodiment shown in Figure 2.IP address and corresponding tcp port number that the user side input will be deleted, IP represents the address IP trusty address, tcp port number is represented the serve port of TCP.
Comprise step 501, begin to delete flow process.
Step 502 is sought corresponding tcp port number in the first order chained list of the trusted IP of described network equipment address table, if do not find then enter step 507, otherwise enter step 503.
Step 503 is in the chained list of the second level of described corresponding tcp port number, if the pairing second level of this tcp port number chained list then enters step 504, otherwise enters step 505 without any IP address record.
Step 504, the record of this tcp port number of deletion first order chained list enters step 507.
Step 505 is found out in the IP address of second level chained list the identical IP address, IP address with the user terminal input, if find corresponding IP address then enter step 506, otherwise enters step 507.
Step 506, the described IP address of finding of deletion in described trusted IP address table.
Step 507 finishes the deletion flow process.
Be illustrated in figure 6 as the flow chart that the present invention deletes second embodiment of trusted IP address table, user terminal is set up and being connected of the network equipment by the Internet, deletion IP address in the trusted IP address table on this network equipment, described trusted IP address table is embodiment shown in Figure 3.IP address and corresponding tcp port number that the user side input will be deleted, IP represents the address IP trusty address, tcp port number is represented the serve port of TCP.
Comprise step 601, begin to delete flow process.
Step 602 is sought corresponding IP address in the first order chained list of the trusted IP of described network equipment address table, if do not find then enter step 607, otherwise enter step 603.
Step 603 is in the second level chained list of described corresponding IP address, if this pairing second level, IP address chained list then enters step 604, otherwise enters step 605 without any the tcp port record.
Step 604, the record of this IP address of deletion first order chained list enters step 607.
Step 605 is found out in the tcp port of second level chained list the identical tcp port of tcp port with the user terminal input, if find corresponding tcp port then enter step 606, otherwise enters step 607.
Step 606, the described tcp port record that finds of deletion in described trusted IP address table.
Step 607 finishes the deletion flow process.
Be illustrated in figure 7 as the flow chart that the present invention deletes the 3rd embodiment of trusted IP address table, user side is set up and being connected of the network equipment by the Internet, deletion IP address in the trusted IP address table on this network equipment, described trusted IP address table is embodiment shown in Figure 2.Described IP address and deletion in all first order chained list tcp ports of IP address table trusty, are sought in the IP address that the user side input will be deleted.
Comprise step 701, begin to delete flow process.
Step 702 in the trusted IP of described network equipment address table, is sought the record that has corresponding IP address in all tcp port numbers, if find then carry out step 703, otherwise carry out step 704.
Step 703 is deleted the described IP address of finding.
Step 704 finishes the deletion flow process.
Be illustrated in figure 8 as the embodiment schematic diagram of the network equipment of the present invention by learning automatically, for the network equipment that adopts TCP communication protocol, and on this equipment, can also obtain its neighborhood (storing neighbours IP address), for example adopt the network equipment of Border Gateway Protocol (BGP:Border Gateway Protocol), this network equipment just stores neighbours IP address, the network equipment connects the IP address table with the IP address of adding neighbours' correspondence according to the neighborhood of configuration automatically to TCP trusty, does not need the network manager to do any operation.
Form basic configuration that BGP connects between two equipment as shown in Figure 8, by as the configuration of figure as can be seen the neighbours of router-A be the IP address of router B interface Fa0/1, the neighbours of router B are IP addresses of route A interface Fa0/1.In above-mentioned environment, router-A is opened BGP, and the local autonomous system (AS:Autonomous Systems) of configuration is 100, and the address of the neighbor router B of router-A is 192.168.1.2, and the AS of this neighbor router B is 200; Router B opens BGP, and the local autonomous system (AS:Autonomous Systems) of configuration is 200, and the address of the neighbor router A of router B is 192.168.1.1, and the AS of this neighbor router B is 100.By top configuration, router-A adds operation with execution, is the trusted IP address table that 179 user joins router-A with the IP address for the 192.168.1.2 port.In like manner, router B carry out to add operation, is the trusted IP address table that 179 user joins router B with the IP address for the 192.168.1.1 port.When router-A or B form bgp neighbors and concern with other network equipments again, their neighbours' port numbers and IP address all can be joined in the trusted IP address table automatically.When the neighbours of router-A or B are cancelled, their neighbours also will connect deletion automatically the IP address table from trusted TCP.
The mode of this automatic study is applicable to the institute's protocols having that utilizes TCP communication and have neighborhood, this ability of the network equipment will provide safe and reliable Connection Service for these agreements, also reach simultaneously to prevent that the network equipment from suffering the effect of SYN flood attack.
Embodiment flow chart when being illustrated in figure 9 as the network equipment of the present invention and being connected with other network equipment uses the trusted IP address table of first embodiment in this example.
Comprise step 901, the described network equipment is received the connection request that the user sends.
Step 902 is obtained the purpose tcp port number and the source IP address of connection request.
Step 903 judges whether this connected network equipment has opened this tcp port, if opened then enter step 904, otherwise enters step 906.This step can reduce the matching process to trusted IP address table, improves the efficient of the network equipment.
Step 904 is judged described purpose tcp port number whether in the trusted IP of described network equipment address table, if would enter step 905, otherwise enter step 906.
Step 905 judges that whether described source IP address is connected in the IP address record of corresponding tcp port of trusted IP address table of the network equipment at this, if would enter step 911, otherwise enter step 906.
Step 906 is connected the connection of network equipment refusing user's.
Step 907 judges that this is connected the message whether network equipment sends the RST sign, promptly connects the message that resets.If send then enter step 908, otherwise enter step 909.
Step 908 sends the RST message.
Step 909 directly abandons request message.
Step 910, connection failure, Connection Step finishes.
Step 911 is accepted connection request.
Step 912 is finished 3 times of Transmission Control Protocol and is shaken hands.
Step 913, successful connection, Connection Step finishes.
As preferred embodiment, if use the trusted IP address table of second embodiment then step 904 and step 905 transposing.
As shown in figure 10 for preventing the structure drawing of device of TCP Denial of Service attack on the network equipment of the present invention, comprise communication unit 1001, matching unit 1002, trusted IP address table 1003, refusal linkage unit 1004 allows linkage unit 1005, delete cells 1006, adding device 1007, unit 1008 automatically.
Described communication unit 1001 is connected with described matching unit 1002, adding device 1007 and delete cells 1006 respectively, described trusted IP address table also is connected with described matching unit 1002, adding device 1007 and delete cells 1006 respectively, and described matching unit 1002 is connected with permission linkage unit 1005 with described refusal linkage unit 1004 respectively.
Described communication unit 1001 is used for communicating by letter with external device.
Described trusted IP address table 1003 is used to store IP address and the tcp port that allows to insert this network equipment.
Described adding device 1007 is used for adding record to described trusted IP address table under user's control.
Described delete cells 1006 is used under user's control finding out corresponding IP address or the tcp port record is deleted from described trusted IP address table.
Described automatic unit 1008 is used for according to that store on the described network equipment and information this network equipment adjacent network device, automatically described trusted IP address of configuration and tcp port number in described trusted IP address table.Described configuration comprises interpolation, deletion action.
Described matching unit 1002, be used for the connectivity request message that receives according to the described network equipment, mate described trusted IP address table, if the purpose tcp port number of described connection request, source IP address are identical with record in the described trusted IP address table, then call permission linkage unit 1005 and handle or directly abandon this connection request message, handle otherwise call described refusal linkage unit 1004.
Described permission linkage unit 1005 is used to set up being connected of the described network equipment and described connection request side, carries out three-way handshake of the prior art and connects.
Described refusal linkage unit 1004 is used for terminal to described initiation connection request and sends the connection of the prior art message that resets.
As preferred embodiment, user side is the keeper of the network equipment, and the network equipment is a router, described keeper carries out manual interpolation or deletion in the trusted IP of described router address table, by with being connected of communication unit 1001, call adding device 1007 and the described trusted IP address table 1003 of delete cells 1006 configurations, stipulate the terminal of which IP address or which tcp port that the network equipment can be connected to this router; Perhaps this router can add the information of this adjacent network device to described trusted IP address table automatically by the IP address information of automatic unit 1008 network equipment that acquisition is adjacent according to agreements such as BGP.
When a user terminal is initiated connection request, the communication unit 1001 of this network equipment receives this request, obtain purpose tcp port and source IP address in this request message, mate in described trusted IP address table 1003 by matching unit 1002, in described trusted IP address table 1003, find out the tcp port record identical with the IP address, call then and allow linkage unit 1005, set up being connected of the described network equipment and user terminal; If described matching unit 1002 finds identical record in described trusted IP address table 1003, then call refusal linkage unit 1004 and send the repeating transmission message or directly abandon this connection request message to initiating the connection requests end.
Beneficial effect of the present invention is, attack detecting is accurate, technical solution of the present invention and prior art item are relatively, prior art mainly still rests on by gathering repeatedly message information based on the defence method of connection request checking, the front and back contrast is obtained legal connection or TCP is connected in the sequence number of message validity checking, and still there is the situation of erroneous judgement in such defence method.And the present invention directly verifies source IP address, directly from the SYN flood attack of source defence denied access, does not have the situation of erroneous judgement.
Attack defending is effective, present attack defending technology, and in order to write down some essential informations of assailant, as the IP address, tcp port number, TCP sequence of message number etc. all needs to consume a part of system resource.And the present invention program is by directly defending the SYN flood of denied access from the source, for can't not going to distribute any system resource by the user of validity checking, there are not SYN Timeout and the technical defective of SYN Cookie, thereby more effectively defendd " denial of service " and " service degradation " that ssyn attack caused.In addition, can realize refusing ways of connecting,, then can also reach the effect of saving cpu resource if adopt the mode that does not send RST by the message that whether sends the RST flag bit is set.
Simple to operate, the network operation cost is low, the present invention program only needs the user to dispose an IP address table trusty, operates very simple.Do not need the user to remove to buy expensive fire compartment wall or other special equipment in addition, can directly on the network equipment, realize preventing the SYN flood attack of denied access, reduced the operation cost of network.
The trusted user management is convenient, flexible, common tcp protocol stack does not limit the source IP address of connection request, also just can't on specific tcp port, start validated user (trusted user's) detection, more can't realize certain user is arranged to the trusted user.
In the present invention program, the tcp port that the network manager only need know on the network to be enabled adds the SYN flood attack that the trusted user's IP address can realize preventing denied access by the simple configuration order then in its source IP address table.If desired certain user is arranged to insincere user, only needs the IP address of correspondence in the corresponding source IP address table of deletion to get final product.In addition, for this agreement that has neighborhood of BGP, this programme can automatically generate IP address table trusty according to neighborhood again, uses quite flexibly, has alleviated keeper's configuration burden.
Above-described embodiment; purpose of the present invention, technical scheme and beneficial effect are further described; institute is understood that; the above only is the specific embodiment of the present invention; and be not intended to limit the scope of the invention; within the spirit and principles in the present invention all, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (9)
1. a method that prevents that denied access from attacking is characterized in that this method comprises, a trusted IP address table is set in the network equipment, and described trusted IP address table stores IP trusty address and tcp port number; When the user initiates connection request, the described network equipment judge the purpose tcp port of this connection request and source IP address whether with described trusted IP address table in the respective record coupling, if coupling then allow to connect, otherwise refusal connects;
Described trusted IP address table is the two-stage chained list, and described tcp port number is a first order chained list, and the IP address corresponding with described tcp port number is second level chained list; Perhaps described IP address is a first order chained list, and the tcp port number corresponding with described IP address is second level chained list.
2. a kind of method that prevents that denied access from attacking according to claim 1, it is characterized in that, the described network equipment judge the purpose tcp port of this connection request and source IP address whether with described trusted IP address table in the step of respective record coupling comprise, earlier the data in the purpose tcp port in the described connection request or source IP address data and the first order chained list are complementary, again coupling source IP address or purpose tcp port number certificate in the second level chained list corresponding with described first order chained list.
3. a kind of method that prevents that denied access from attacking according to claim 1, it is characterized in that, the described network equipment judge the purpose tcp port of this connection request and source IP address whether with described trusted IP address table in respective record coupling step before, also comprise according to the purpose tcp port of described connection request and judge the service of whether having opened this tcp port on the described network equipment, if opened then carry out above-mentioned coupling step, otherwise refusal connects.
4. according to claim 1 or 3 described a kind of methods that prevent that denied access from attacking, it is characterized in that in the described refusal Connection Step, the described network terminal directly abandons described connection request message, perhaps return the message that connection resets to user terminal.
5. a kind of method that prevents that denied access from attacking according to claim 1, it is characterized in that, the step that one trusted IP address table is set in the described network equipment comprises, the described network equipment disposes described trusted IP address and tcp port number automatically according to the information of adjacent network device in described trusted IP address table.
6. device that prevents that denied access from attacking comprises the communication unit of the network equipment it is characterized in that this device also comprises, matching unit, refusal linkage unit, permission linkage unit, trusted IP address table; Wherein, described trusted IP address table internal memory contains IP address and the tcp port number that allows other network equipments of connecting with this network equipment;
Described communication unit and user terminal communication, receive the connection request of user terminal, described matching unit judge the purpose tcp port of this connection request and source IP address whether with described trusted IP address table in the respective record coupling, if coupling then call allows linkage unit to set up being connected of the described network equipment and user terminal, refuse linkage unit and refuse being connected of the described network equipment and user terminal otherwise call;
Wherein, described trusted IP address table has the two-stage chained list, and described tcp port number is a first order chained list, and the IP address corresponding with described tcp port number is second level chained list; Perhaps described IP address is a first order chained list, and the tcp port number corresponding with described IP address is second level chained list.
7. a kind of device that prevents that denied access from attacking according to claim 6, it is characterized in that also comprising adding device and delete cells, be connected with trusted IP address table with described communication unit respectively, dispose trusted IP address and tcp port number in the described trusted IP address table by described adding device and delete cells.
8. according to claim 6 or 7 described a kind of devices that prevent that denied access from attacking, it is characterized in that also comprising automatic unit, according to that store on the described network equipment and information this network equipment adjacent network device, described trusted IP address of configuration and tcp port number in described trusted IP address table automatically.
9. a kind of device that prevents that denied access from attacking according to claim 6 is characterized in that described refusal linkage unit directly abandons described connection request message, perhaps returns to user terminal to connect the message that resets.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101703136A CN101378395B (en) | 2008-10-10 | 2008-10-10 | Method and apparatus for preventing reject access aggression |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101703136A CN101378395B (en) | 2008-10-10 | 2008-10-10 | Method and apparatus for preventing reject access aggression |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101378395A CN101378395A (en) | 2009-03-04 |
| CN101378395B true CN101378395B (en) | 2011-04-06 |
Family
ID=40421737
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101703136A Expired - Fee Related CN101378395B (en) | 2008-10-10 | 2008-10-10 | Method and apparatus for preventing reject access aggression |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101378395B (en) |
Families Citing this family (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101577645B (en) * | 2009-06-12 | 2011-06-22 | 北京星网锐捷网络技术有限公司 | Method and device for detecting counterfeit network equipment |
| CN101931627B (en) * | 2010-08-26 | 2013-09-18 | 福建星网锐捷网络有限公司 | Security detection method, security detection device and network equipment |
| CN102843681A (en) * | 2012-08-15 | 2012-12-26 | 腾讯科技(深圳)有限公司 | Information interaction method and information interaction device |
| CN102932354A (en) * | 2012-11-02 | 2013-02-13 | 杭州迪普科技有限公司 | Verification method and device for internet protocol (IP) address |
| CN102916983B (en) * | 2012-11-22 | 2015-08-05 | 北京奇虎科技有限公司 | The guard system of access to netwoks behavior |
| CN103313429B (en) * | 2013-07-10 | 2016-12-28 | 江苏君立华域信息安全技术有限公司 | A kind of processing method identifying forgery WIFI hot spot |
| CN104079558B (en) * | 2014-05-22 | 2018-02-13 | 汉柏科技有限公司 | A kind of method and fire wall for preventing DoS attack |
| CN105635067B (en) | 2014-11-04 | 2019-11-15 | 华为技术有限公司 | File transmitting method and device |
| CN105049489A (en) * | 2015-06-25 | 2015-11-11 | 上海斐讯数据通信技术有限公司 | Method for realizing three times handshake on a UBOOT (Universal Boot Loader) |
| CN108023866B (en) * | 2016-10-28 | 2020-10-09 | 新华三技术有限公司 | Anti-attack processing method and network equipment |
| CN107104852A (en) * | 2017-03-28 | 2017-08-29 | 深圳市神云科技有限公司 | Monitor the method and device of cloud platform virtual network environment |
| CN107070928B (en) * | 2017-04-19 | 2020-08-21 | 北京网康科技有限公司 | Application layer firewall and processing method thereof |
| CN108337222B (en) * | 2017-11-28 | 2022-02-25 | 中国电子科技集团公司电子科学研究院 | Port opening method and device for distinguishing access terminal identity and readable storage medium |
| CN108632265B (en) * | 2018-04-26 | 2021-06-29 | 广州视源电子科技股份有限公司 | Communication connection method, device and system of client and storage medium |
| CN108712451B (en) * | 2018-08-02 | 2020-10-27 | 夸克链科技(深圳)有限公司 | DOS attack prevention method for recording login history |
| CN109618004A (en) * | 2019-01-16 | 2019-04-12 | 新华三技术有限公司 | A kind of message forwarding method and device |
| CN110781453B (en) * | 2019-09-23 | 2023-11-24 | 太原理工大学 | Network fragile edge recognition method based on complex theory |
| CN112272164B (en) * | 2020-09-30 | 2022-07-12 | 新华三信息安全技术有限公司 | Message processing method and device |
| CN112910927B (en) * | 2021-03-19 | 2023-08-15 | 厦门星纵数字科技有限公司 | SIP registration method for defending foreign network attack |
| CN113206828B (en) * | 2021-03-30 | 2022-05-27 | 新华三信息安全技术有限公司 | Method and device for analyzing security of network device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101159718A (en) * | 2007-08-03 | 2008-04-09 | 重庆邮电大学 | Embedded type industry ethernet safety gateway |
| CN101267437A (en) * | 2008-04-28 | 2008-09-17 | 杭州华三通信技术有限公司 | Packet access control method and system for network devices |
-
2008
- 2008-10-10 CN CN2008101703136A patent/CN101378395B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101159718A (en) * | 2007-08-03 | 2008-04-09 | 重庆邮电大学 | Embedded type industry ethernet safety gateway |
| CN101267437A (en) * | 2008-04-28 | 2008-09-17 | 杭州华三通信技术有限公司 | Packet access control method and system for network devices |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101378395A (en) | 2009-03-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101378395B (en) | Method and apparatus for preventing reject access aggression | |
| CN102291441B (en) | Method and security agent device for protecting against attack of synchronize (SYN) Flood | |
| US7984493B2 (en) | DNS based enforcement for confinement and detection of network malicious activities | |
| US7207061B2 (en) | State machine for accessing a stealth firewall | |
| De Vivo et al. | Internet security attacks at the basic levels | |
| Baitha et al. | Session hijacking and prevention technique | |
| CN104426837B (en) | The application layer message filtering method and device of FTP | |
| CN109327426A (en) | A kind of firewall attack defense method | |
| JP2002215478A (en) | Fire wall service supply method | |
| CN110830447A (en) | SPA single packet authorization method and device | |
| KR20080028381A (en) | Method for defending against denial of service attacks in ip networks by target victim self-identification and control | |
| CN101594359A (en) | Defence synchronous flood attack method of transmission control protocol and transmission control protocol proxy | |
| KR101252787B1 (en) | Security management system with multiple gateway servers and method thereof | |
| WO2015174100A1 (en) | Packet transfer device, packet transfer system, and packet transfer method | |
| CN101984693A (en) | Monitoring method and monitoring device for access of terminal to local area network (LAN) | |
| US8973143B2 (en) | Method and system for defeating denial of service attacks | |
| US20170041297A1 (en) | Unified source user checking of tcp data packets for network data leakage prevention | |
| CN115378625A (en) | Cross-network information security interaction method and system | |
| CN107360178A (en) | A kind of method that network access is controlled using white list | |
| JP2008306610A (en) | Illicit intrusion/illicit software investigation system, and communicating switching device | |
| Safa et al. | A collaborative defense mechanism against SYN flooding attacks in IP networks | |
| CN106789882A (en) | Defence method and system that a kind of domain name request is attacked | |
| Wang et al. | Hijacking spoofing attack and defense strategy based on Internet TCP sessions | |
| CN114024752B (en) | Network security defense method, device and system based on whole network linkage | |
| US20060225141A1 (en) | Unauthorized access searching method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 350015 M9511 Industrial Park, fast road, Mawei District, Fujian, Fuzhou Patentee after: RUIJIE NETWORKS Co.,Ltd. Address before: 350015 M9511 Industrial Park, fast road, Mawei District, Fujian, Fuzhou Patentee before: Fujian Star-net Ruijie Network Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110406 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |