Summary of the invention
The invention provides a kind of method and apparatus of protecting Web server to avoid HTTP Flood distributed denial of service attack.This method is deployed on the gateway device, and gateway device is positioned at network edge, is used for all Web servers in the protecting network.Gateway device detects the TCP connection status of HTTP between client and Web server, use based on the mechanism of Cookie and port redirection and differentiate legitimate request and illegal request.Legitimate request can be automatically via gateway forwards to server, and illegally ask the connection meeting to be closed by gateway.
Cookie is the one section ASCII character text of Web server to user's browser transmission.In case receive Cookie, browser can and keep session status Cookie request tracing client.Cookie is kept at the http protocol request or replys head and transmit between server and client.General browser all can resolve and handle Cookie, and most of attack tool or network worm do not possess the ability of identification and processing Cookie.Utilize this point, gateway can be differentiated most of legitimate request and malicious requests.
Simultaneously, in order to strengthen the robustness that the gateway opposing is attacked, method port redirection is machine-processed and based on Cookie is used in combination.The open port of Web service is fixed port (being generally 80), when gateway is received from the HTTP of client unauthenticated request, request can be redirected on the port that gateway generates at random.Client has only the correct redirected semanteme of having handled, and just can be identified as validated user by gateway.
The gateway monitor client connects to all TCP of service, and IP fragmentation reorganization and stream reorganization are carried out in connection.Earlier through gateway, gateway is in order to differentiate that this request is from legal users or attack tool can replace server that request is responded to the request of server for client.Gateway utilizes 301 answer codes of http protocol, and response contents as shown in Figure 1.301 answer codes represent that the data of asking permanently move to new position.Gateway is inserted new URL Location field, and the Port value that changes among the URL is Auth_Port, and Path partly remains unchanged.For the ease of handling, the Auth_Port value is random value between 1024 to 65536, can not equal 80.Specify the Cookie value that generates at random by gateway Set-Cookie field simultaneously.Connection field assignment is close, and this connection is closed in expression, and client need rebulid and connect the HTTP request that sends.The respond packet IP source address of gateway structure is changed to the address of Web server, so from the angle of client, its all packets of receiving are all from server, gateway is transparent to the user.
Validated user is received 301 responses, and browser can be handled response automatically.Client is done two operations:
1. send the TCP bag of being with the FIN flag bit to Web server and close this connection.After gateway is received the FIN packet, replace Web server to send the ACK bag to client.Gateway is made as server address with the source IP address in the ACK bag, and inserts a suitable TCP field, comprise sequence number, confirm number, verification and etc.
2. set up new connection by three-way handshake, and the URL in replying 301 initiates request, use Cookie field in request package, the value of field is identical with the value of Set-Cookie field in the response packet.
Since client send once more the request before can close original connection, and gateway as the go-between replaced web server response the connection close, Web server is not also known.Therefore, gateway need send the bag of band RST sign to Web server, and what notice connected closes, and the IP source address of this RST bag is made as the IP address of client.
Client is set up new connection to Web server, and gateway is received the SYN bag of newly-built connection, checks whether the destination interface value is the port value that feeds back to client before, if not, directly with this data packet discarding; If, packet is forwarded to 80 ports of server, finish three-way handshake.After this, all packets are gone up in this connection all needs to carry out the port forwarding through gateway.
After connecting foundation, gateway is received the HTTP request that the user sends, and checks whether Cookie field of HTTP bag comprises the Cookie value that originally fed back to client.If the Cookie value meets the requirements, show that this request is legal, is transmitted to Web server with request.Otherwise, abandoning this request, and send the bag that band RST indicates to server, announcement server is with connection closed.Because of gateway is transparent to server as the go-between, RST bag IP source address is set to the IP address of client.
When attack tool or network worm are initiated distributed denial of service attack usually, just send a large amount of HTTP requests, the response of server is not handled to Web server.When gateway returns 301 when inserting Cookie in replying and replying, attack tool or network worm can not correctly be resolved the semanteme of replying, and are presented as to be redirected on default port, and can comprise default Cookie value in the HTTP request.Gateway utilizes this point can distinguish legitimate request effectively and attacks request.Attack request data package and can not given Web server, thereby avoided consumption server resource by gateway forwards.
Accompanying drawing 2 has represented that validated user receives web server response from issuing a request to, with the reciprocal process of gateway and Web server.
Accompanying drawing 3 has been represented the reciprocal process that attack tool or network worm are blocked by gateway the attack request of Web server initiation.
The realization of gateway is based on the hardware and the operating system of customization, and employing aims at the hardware platform of fire compartment wall design and the Liunx operating system of reduction, and the realization of above-mentioned algorithm is based on Liunx Netfilter framework.Netfilter is the structuring bottom frame that is used to expand various network services in a kind of Liunx kernel, and it is that IPv4, IPv6 have defined a cover Hook Function, and Hook Function is called in the several Key Points that datagram flows through protocol stack.Netfilter provides 5 Hook Function mount points, is respectively NF_IP_PRE_ROUTING, NF_IP_FORWARD, NF_IP_LOCAL_IN, NF_IP_LOCAL_OUT, NF_IP_POST_ROUTING.Kernel module can be registered one or more hooks of every kind of agreement, realizes articulating.When certain packet was delivered to the Netfilter framework, whether kernel detects had module that the Hook Function of this agreement is registered, if registered, and the call back function that uses when then calling this module registration.In call back function, realize user-defined function.
The algorithm that the present invention proposes is realized by the Hook Function that is articulated in NF_IP_PRE_ROUTING, is articulated a little but be not limited to NF_IP_PRE_ROUTING.This algorithm can be divided into 4 modules according to logic function: stream recombination module, port authorization module, HTTP requests verification module, port forwarding module.Accompanying drawing 5 has represented that data packet stream is through the process of gateway and the relation between each logic module.
The stream recombination module uses the storage of Hash table connecting and the TCP stream that has been connected, as shown in Figure 4.The Hash table is made of array, the doubly linked list of each the element directed tcp_stream structure in the array, and the corresponding TCP of tcp_stream structure connects.The key data structure of operation Hash table is tuple, and tuple is 4 tuples of source address, destination address, source port number, destination slogan.When gateway receives a new packet, at first call linux system function ip_defrag and carry out the IP fragmentation reorganization.After reorganization is finished, tuple is done the Hash computing obtain corresponding Hash table array index, travel through the tcp_stream structure doubly linked list that this array element points to, search packet and whether belong to the TCP connection that gateway has been safeguarded.If do not find, tuple is done inverse operation, promptly change source address and destination address, source port number and destination slogan and obtain reverse_tuple, use reverse_tuple to repeat above-mentioned Hash table search procedure.
The tcp_stream structrual description all information of connecting of TCP, crucial variable comprises that 2 half_stream structures describe client, server info respectively; A verifier construction packages HTTP requests verification function; Whether reassem_stop flag bit sign TCP reorganization is proceeded; A data buffering area is preserved ordering application layer data.When a new SYN packet is received by system, and its any one TCP that does not belong to system maintenance shows that it is the SYN bag of TCP three-way handshake when connecting.Call the port authorization module, check open port or redirected Auth_Port port that its destination interface is not served for protection, if, then, this TCP adds the Hash table for connecting new tcp_stream structure of initialization, otherwise, directly abandon the SYN bag.If destination interface is the Auth_Port port of expection, then call 80 ports that the port forwarding module forwards it to server.Registration verifier structure during initialization tcp_stream structure, can call corresponding HTTP requests verification function the proper time of TCP reorganization according to verifier.Using the benefit of verifier structure is the inspection modularization that makes application layer, when needs add new verifying logic, only needs the new checking function of registration in the verifier structure.
This algorithm only is concerned about that client mails to the application layer data of server, deposits ordering application layer data in the data buffering area of tcp_stream structure, safeguards out-of-sequence TCP bag chained list in the half_stream of client structure.Arrive as new TCP bag, judge TCP reorganization condition: if the complete header data of not obtaining first HTTP request, and the data packet length of having recombinated or packet number do not reach the upper limit, then carries out the TCP reorganization; Otherwise, stop reorganization, directly carry out packet and transmit.Carry out TCP when reorganization, checking sequence number adds the data buffering area with the bag that arrives in proper order, and as the input of HTTP requests verification function, out-of-sequence packet deposits the TCP bag chained list of half_stream in, for follow-up TCP reorganization use.
Whenever there being new data to add the data buffering area, can call HTTP requests verification module.Authentication module judges whether the data buffering area has comprised complete HTTP header data, if carry out the validity checking of Cookie value; Otherwise, stop this and check, wait for that complete HTTP header data arrives.Http protocol 1.1 versions acquiescences is taked lasting connection, promptly can carry out repeatedly the HTTP request and reply in a TCP connects.Only need in lasting the connection first HTTP request is checked.After the so complete field of obtaining first HTTP request, with the set of reassem_top flag bit, represent that the follow-up data that this TCP connects need not reorganization, follow-up packet is directly transmitted or is abandoned according to check result.Version was not supported lasting connection before http protocol 1.0 reached, and sent a HTTP request during a TCP connects only.Gateway is similar to its processing and 1.1 versions, is not repeated.
The port authorization module is called when gateway is received the SYN bag of TCP three-way handshake.If destination interface is 80, the connection that expression is about to set up is not to be redirected to connect, for this connects initialization tcp_stream structure.If destination interface is non-80, show that the connection that is about to set up is the connection that is redirected through gateway, check whether port numbers is corresponding with source IP address, if corresponding,, this packet transferred to the port forwarding module transmit for this connects initialization tcp_stream structure; If not corresponding, with this data packet discarding.
HTTP requests verification module is called when first complete HTTP asks head in obtaining the TCP connection.Cookie field in this module check request header according to the difference of packet content, following 4 kinds of situations may occur:
1.HTTP do not have the Cookie field in the request header, and the TCP destination interface is 80, then gateway sends 301 to client and replys, and inserts new URL address in 301 reply, and inserts the port value Auth_Port that generates at random for this client among the new URL.Reply head 301 and add the Set-Cookie field, insert the Cookie value that generates at random.Port numbers, Cookie value, and clients corresponding IP address can go on record, for after the checking use.Simultaneously, 301 reply head Connection field is made as close, and this connection is closed in expression.Because gateway is transparent to client, 301 source IP addresss of replying are made as the address of Web server, and from client's angle, this is replied from Web server and sends.Simultaneously, gateway need send the TCP bag of band RST sign to Web server, and announcement server is with this connection closed.The source address of same RST bag is made as the IP address of client.
2.HTTP do not have the Cookie field in the request header, and TCP destination interface non-80.Because have only the packet that is redirected through gateway just can mail to non-80 ports, but do not have the Cookie field in the request header this moment, show that this request is illegal request.Gateway directly abandons packet, and sends the bag of band RST flag bit to Web server, and the connection closed that the notice Web server will have been set up reduces the resource consumption of Web server.
3.HTTP comprise the Cookie field in the request header, and the TCP destination interface is 80.Because of destination interface is 80, show that this connection is not redirected through gateway, the Cookie in the request header is the agreement between server and the client, is not to be specified by gateway.Be similar to the situation in 1, gateway replaces Web server to reply to client transmission 301, inserts new port numbers and Cookie value in replying.The Cookie that generated at random by gateway this moment is attached to the back of source Cookie value, can not destroy the semanteme of former Cookie.Simultaneously, gateway need send the TCP bag of band RST sign to Web server, and announcement server is with this connection closed.
4.HTTP comprise the Cookie field in the request header, and TCP destination interface non-80.Non-80 because of destination interface, show that this connection passed through gateway and be redirected, need further to check the legitimacy of Cookie value this moment.Search the Cookie value that gateway generates for this client according to source IP address, check whether the Cookie value of storage is the substring of Cookie value in the current request bag, if, show that the HTTP request is legal, call the port forwarding module and transmit; Otherwise, this request is abandoned, and sends the bag of being with the RST flag bit, the connection closed that the notice Web server will have been set up to Web server.
Under above-mentioned 1 and 3 the situation, it is close that gateway is replied a mid-Connection field value 301, and the notice client is closed connection.Subsequently, gateway is received the tcp data bag from the band FIN sign of client, and gateway need replace Web server that this FIN bag is carried out the ACK response.
Gateway is described below generation, maintenance, the renewal of port numbers and Cookie value.Port numbers and Cookie value are woven to a binary sort tree according to client source IP group of addresses, as shown in Figure 6.Each node has been preserved the storage organization of IP source address and this IP address correspondence in the tree.Each storage organization comprises port numbers, Cookie value, temporal information.Port numbers and Cookie value all have ageing, and port numbers and Cookie value that life period surpasses certain value can lose efficacy.In the binary sort tree, if root node the left subtree non-NULL, then in the left subtree IP source address of all nodes less than the IP source address value of root node; If the right subtree non-NULL of root node, then in the right subtree IP source address of all nodes greater than the IP source address value of root node.Left and right subtree respectively is again a binary sort tree.Gateway generates and is redirected when replying, and generates port numbers and Cookie value at random, and notes the rise time, according to the source IP address of client, inserts storage organization in the appropriate location of binary tree.When gateway is received the SYN bag of newly-built connection or obtained a complete HTTP header data, search binary sort tree, judge whether destination slogan or Cookie value meet, and the rise time above time delay, carry out follow-up operation according to the result who searches.During the TCP connection closed, the node of deletion source IP address correspondence.