CN101989985A - Hardware-based core router TCP connection sate maintenance module design scheme - Google Patents
Hardware-based core router TCP connection sate maintenance module design scheme Download PDFInfo
- Publication number
- CN101989985A CN101989985A CN2010105011822A CN201010501182A CN101989985A CN 101989985 A CN101989985 A CN 101989985A CN 2010105011822 A CN2010105011822 A CN 2010105011822A CN 201010501182 A CN201010501182 A CN 201010501182A CN 101989985 A CN101989985 A CN 101989985A
- Authority
- CN
- China
- Prior art keywords
- tcp
- router
- module
- message
- maintenance module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention relates to a new hardware-based core router TCP connection sate maintenance module design scheme, which comprises a principle, processing contents and the working process of the module. The TCP connection state maintenance of a core router is an important factor concerning the security of the core router. The hardware technology-based core router TCP connection sate maintenance module design scheme can effectively reduce malicious attacks to the core router caused by TCP state maintenance problems, effectively protects a CPU and storage space resources of the core router, and prevents conditions such as overflow of a TCP/IP protocol stack, stack crash, router crash and the like due to the attacks so as to greatly improve the operating stability of the core router.
Description
Technical field
The present invention relates to the TCP connection status maintenance module of core router, the effect of this invention is to avoid the network equipment to be subjected to malicious attack.
Background technology
In the network of actual motion, core router plays very crucial effect, and whether it stablizes the reliability that directly has influence on the backbone network service operation.Core router can move the BGP Routing Protocol usually, inevitably will open some tcp port, the fail safe of the tcp port that these are open, and it is most important just to seem.Because Transmission Control Protocol is connection-oriented, the attack that it needs the characteristics of maintenance state to cause based on tcp state, it is that Transmission Control Protocol self is insurmountable that this class is attacked, and also is the problem that core router must solve.
Current core router carries out the TCP connection status safeguards that normally adopt the mode of CPU+RAM to realize, promptly the tcp state table is stored among the RAM of core router, sets up and maintenance work is that CPU by core router finishes.Handle a new TCP and connect as shown in Figure 1 in core router, its concrete processing procedure is as follows:
Packet enters IP by interface module and wraps into processing module, mate through the route processing engine, after hitting direct-connected route, after big capacity storage management and scheduler module, be forwarded to exchange interface module, packet is given master control borad CPU and is handled on High speed rear panel, after the message handling process that master control borad CPU sets up by the TCP connection connects, the tabulation of formation tcp state, this tcp state tabulation is stored in the ram space, is safeguarded by CPU.
Because Transmission Control Protocol is connection-oriented, the demand that existence is safeguarded, its status list needs enough RAM and cpu resource storage and handles, and when the design of router architecture, above-mentioned two kinds of resources are limited.Therefore router is when being subjected to malicious attack, as: receive a large amount of TCP connection requests that surpass the CPU disposal ability or surpass the RAM storage capacity, can influence the operate as normal of router.May cause router ICP/IP protocol stack overflow under fire when serious, cause router to crash; Lighter situation also may cause the aborted of router Routing Protocol, the route instability, and then influence the stability of whole backbone network.
Summary of the invention
The present invention relates to a kind of new hardware based core router TCP connection status maintenance module design; this scheme technical problem to be solved is to use the strobe utility of hardware based tcp data bag in core router; distinguish malicious attack packet and normal packet; normal Transmission Control Protocol message is submitted; the attack message of malice is filtered out, thereby the protection core router is avoided the attack of malicious data bag.
Generation is during based on the attack of tcp state characteristics, and the destination address of attacking the IP bag is the direct-connected interface IP address or the Loopback interface IP address of router, and in the distribution router architecture, the CPU that gives router maintenance agreement stack on the packets need handles.
Seriously influence for avoiding this type of attack to cause, the method of distribution router structure employing as shown in Figure 2 is at present, in big capacity storage management and scheduler module, handle when submitting packet, can restriction submit the speed of packet, exceed submitting packet and will being dropped of some in the unit interval.But this safeguard measure can only protect this router when under attack, can not exhaust the CPU and the memory space resource of master control borad because of attack.After reaching threshold values, the TCP that router can't be distinguished normal TCP request and malice attacks, and all follow-up packets of receiving all can be abandoned, and causes router to refuse all new TCP connection requests, stops up to attack, and discharges the memory space that makes new advances.
On the cable card board of the present invention in the distributed treatment hardware architecture of core router, increase the tcp state processing module as shown in Figure 2.By this module the Transmission Control Protocol message is carried out condition managing, the TCP that distinguishes normal Transmission Control Protocol message and malice attacks, and normal Transmission Control Protocol message is submitted, and the attack message of malice is filtered out, thereby avoid core router to be subjected to malicious attack.
Description of drawings
Fig. 1 ordinary router structure (not having the tcp state maintenance module)
Fig. 2 has increased the router topology of tcp state maintenance module
The course of work of Fig. 3 tcp state maintenance module
Embodiment
Below principle of the present invention and feature are described, institute gives an actual example and only is used to explain the present invention, is not to be used to limit scope of the present invention.
Exemplifying embodiment
The physical interface address and the neighbours address that need keeper's manual configuration when setting up bgp neighbor.Can suppose that from the angle of network management between the direct-connected router and management address interval is the malicious attack behavior not to take place.Not with the direct-connected address of router, i.e. the indirectly connected address of all that can reach in the network, and with the address of router without any the neighborhood of agreement because its user's trust can't determine, be defined as " non-trusted IP ".
179 ports are set to the port open to trusted IP in router configuration file, are nonopen to " non-trusted IP ".When scanning took place, illegal packet was directly abandoned by the tcp state maintenance module, gives CPU on not understanding and handles.
Claims (10)
1. a hardware based core router TCP connection status maintenance module design (abbreviating the tcp state maintenance module in the narration of back as) is characterized in that, comprise this module principle, contents processing and the course of work.
2. according to the described tcp state maintenance module of claim 1, it is characterized in that, this module realizes as carrier with the FPGA hardware chip, on the cable card board in the distributed treatment hardware architecture of core router, increase TCP connection status maintenance module, the effect of this module is that the Transmission Control Protocol message is carried out condition managing, distinguishes the TCP attack message of normal Transmission Control Protocol message and malice, normal Transmission Control Protocol message is submitted, the attack message of malice is filtered out.
3. according to the described TCP connection status of claim 1 to 2 maintenance module, it is characterized in that, this module controls mechanism comprises that threshold values setting and Log handle, wherein threshold values is provided for controlling and receives same tcp data message amount in the unit interval, the time finish at system initialization or configuration, the function of threshold values is to think during above threshold values when the quantity of receiving qualified tcp data message attack to router has taken place; Log handles and is used for the TCP message of attack is stamped the Log sign, charges among the Log.
4. according to the described TCP connection status of claim 1 to 3 maintenance module, it is characterized in that, after IP that core router is received bag hits the direct-connected route of router, core router will be submitted this packet, enter the tcp state maintenance module, entering after this module at first, whether the source IP of judgment data bag is " trusted IP "; The judgement of " trusted IP " is that router is finished, and method is related with setting up between the configuration file of router and the tcp state module, obtains the direct-connected address network segment scope and the address of syntople router from router configuration file.IP in this scope will be considered to " trusted IP ", other IP are considered to " non-trusted IP ".
5. according to the described TCP connection status of claim 1 to 3 maintenance module, it is characterized in that, after finishing right 4 described " trusted IP " and going to judge, judge the state of port of the opening of router, and pairing IP address range; The port status of router obtains by router configuration file.
6. according to the described TCP connection status of claim 1 to 3 maintenance module, it is characterized in that, after finishing described trusted IP of right 4-5 and port and going to judge, the state of Transmission Control Protocol is checked; If finished the data message that TCP " three-way handshake " connects, then checked according to TCP sequence; Set up new connection if tcp state is the message request of SYN SEND, then confirm as a suspicious TCP request.
7. according to the described TCP connection status of claim 1 to 3 maintenance module, it is characterized in that, after finishing the status checkout of right 6 described Transmission Control Protocol, use the TCP sliding window mechanism to compare TCP sequence number, if the TCP message of correct order is then submitted CPU; If sequence number is then confirmed as a suspicious TCP request not within the tcp window scope; Adopt " back-off mechanism " this moment, temporarily do not submit this correct message, makes its TCP Timer overtime, if legitimate request can retransmit once more, submits to CPU after waiting to receive second correct sequence again, otherwise think that illegal TCP asks.
8. according to the described TCP connection status of claim 1 to 3 maintenance module, be characterised in that, after finishing the described processing of right 4-7, if in timer time, the data packet number of receiving surpasses threshold values, and have in the packet any with the tcp state module in record a certain identical, promptly triggered judgment rule to attack, then think to have detected attack, this packet is directly abandoned; If do not trigger judgment rule, then tcp state module replaced C PU is SYN+ACK and replys.
9. according to the described TCP connection status of claim 1 to 3 maintenance module, be characterised in that, finish right 4-8, if do not receive the ACK message, this source address then is described for forging the address, this connection request is attack, with this data packet discarding; If receive corresponding ACK message, then connect to set up and finish, judge that this connection request is a normal TCP request.By the tcp state module regeneration SYN message identical with former request, forge former connection request and set up the TCP connection to the CPU application, replace former requesting party to finish the work of " three-way handshake ".
10. according to the described TCP connection status of claim 1 to 3 maintenance module, be characterised in that, finish the described processing of right 4-10 after, upgrade tcp state and connect table, after subsequent packet arrives, judge through state and errorlessly then to give CPU on directly.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010501182 CN101989985B (en) | 2010-10-09 | 2010-10-09 | Hardware-based core router TCP connection sate maintenance module design scheme |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010501182 CN101989985B (en) | 2010-10-09 | 2010-10-09 | Hardware-based core router TCP connection sate maintenance module design scheme |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101989985A true CN101989985A (en) | 2011-03-23 |
| CN101989985B CN101989985B (en) | 2013-08-28 |
Family
ID=43746328
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010501182 Expired - Fee Related CN101989985B (en) | 2010-10-09 | 2010-10-09 | Hardware-based core router TCP connection sate maintenance module design scheme |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101989985B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106101161A (en) * | 2016-08-26 | 2016-11-09 | 网宿科技股份有限公司 | A kind of method and system of the tcp data bag for processing forgery |
| CN107517218A (en) * | 2017-09-26 | 2017-12-26 | 上海斐讯数据通信技术有限公司 | A kind of method and system of test router DoS attack safeguard function |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1863197A (en) * | 2005-05-10 | 2006-11-15 | 美国博通公司 | Method and system for handling out-of-order segments in a wireless system via direct data placement |
| CN101123492A (en) * | 2007-09-06 | 2008-02-13 | 杭州华三通信技术有限公司 | Method and device for detecting scanning attack |
| CN101175013A (en) * | 2006-11-03 | 2008-05-07 | 飞塔信息科技(北京)有限公司 | Method, network system and proxy server for preventing denial of service attack |
| CN101478387A (en) * | 2008-12-31 | 2009-07-08 | 成都市华为赛门铁克科技有限公司 | Defense method, apparatus and system for hyper text transmission protocol attack |
-
2010
- 2010-10-09 CN CN 201010501182 patent/CN101989985B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1863197A (en) * | 2005-05-10 | 2006-11-15 | 美国博通公司 | Method and system for handling out-of-order segments in a wireless system via direct data placement |
| CN101175013A (en) * | 2006-11-03 | 2008-05-07 | 飞塔信息科技(北京)有限公司 | Method, network system and proxy server for preventing denial of service attack |
| CN101123492A (en) * | 2007-09-06 | 2008-02-13 | 杭州华三通信技术有限公司 | Method and device for detecting scanning attack |
| CN101478387A (en) * | 2008-12-31 | 2009-07-08 | 成都市华为赛门铁克科技有限公司 | Defense method, apparatus and system for hyper text transmission protocol attack |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106101161A (en) * | 2016-08-26 | 2016-11-09 | 网宿科技股份有限公司 | A kind of method and system of the tcp data bag for processing forgery |
| WO2018035962A1 (en) * | 2016-08-26 | 2018-03-01 | 网宿科技股份有限公司 | Method and system for processing forged tcp data packet |
| CN106101161B (en) * | 2016-08-26 | 2019-02-01 | 网宿科技股份有限公司 | It is a kind of for handle forge TCP data packet method and system |
| US10834126B2 (en) | 2016-08-26 | 2020-11-10 | Wangsu Science & Technology Co., Ltd. | Method and system for processing forged TCP packet |
| CN107517218A (en) * | 2017-09-26 | 2017-12-26 | 上海斐讯数据通信技术有限公司 | A kind of method and system of test router DoS attack safeguard function |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101989985B (en) | 2013-08-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102291441B (en) | Method and security agent device for protecting against attack of synchronize (SYN) Flood | |
| CN101202742B (en) | Method and system for preventing refusal service attack | |
| CN101378395B (en) | Method and apparatus for preventing reject access aggression | |
| Twycross et al. | Implementing and testing a virus throttle | |
| CN101083563B (en) | Method and apparatus for preventing distributed refuse service attack | |
| CN100588201C (en) | Defense method aiming at DDoS attack | |
| CN101018233B (en) | Session control method and control device | |
| CN101567888A (en) | Safety protection method of network feedback host computer | |
| CN101594359A (en) | Defence synchronous flood attack method of transmission control protocol and transmission control protocol proxy | |
| CN1744607A (en) | System and method for blocking worm attack | |
| CN102006246A (en) | Trusted separate gateway | |
| CN1630248A (en) | SYN flooding attack defence method based on connection request authentication | |
| CN101163041B (en) | Method of preventing syn flood and router equipment | |
| CN101022458B (en) | Conversation control method and control device | |
| CN107835145B (en) | Method for preventing replay attack and distributed system | |
| CN101188558B (en) | Access control method, unit and network device | |
| CN103685315A (en) | Method and device for defending denial of service attack | |
| CN101299765B (en) | Method for defending against DDOS attack | |
| CN104125213A (en) | Distributed denial of service DDOS attack resisting method and device for firewall | |
| CN101989985B (en) | Hardware-based core router TCP connection sate maintenance module design scheme | |
| CN101136917B (en) | Transmission control protocol blocking module and soft switch method | |
| CN108667829A (en) | A kind of means of defence of network attack, device and storage medium | |
| JP2019152912A (en) | Unauthorized communication handling system and method | |
| CN114024731B (en) | Message processing method and device | |
| CN105827615A (en) | Optimization method for preventing DDoS (distributed denial of service) attacks by using SmartRack server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130828 Termination date: 20161009 |