CN105323259A - Method and device for preventing synchronous packet attack - Google Patents
Method and device for preventing synchronous packet attack Download PDFInfo
- Publication number
- CN105323259A CN105323259A CN201510894043.3A CN201510894043A CN105323259A CN 105323259 A CN105323259 A CN 105323259A CN 201510894043 A CN201510894043 A CN 201510894043A CN 105323259 A CN105323259 A CN 105323259A
- Authority
- CN
- China
- Prior art keywords
- tcp connection
- packet
- address
- connection packet
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and device for preventing synchronous packet attack. The method comprises: pre-registering a hook function in a core, creating a tracking monitoring linked list and a blacklist linked list, and setting a synchronous packet threshold valve and a redetection interval time; parsing a TCP connection data packet sent by a client to a server by utilizing the hook function, wherein the TCP connection data packet transmitted in first handshake of the client and the server is the synchronous data packet; when the number of the synchronous data packets from a same IP address reaches the synchronous packet threshold value, adding the IP address into the tracking monitoring linked list, and tracking the TCP connection data packet subsequently sent by the corresponding client to the IP address; and parsing the tracked TCP connection data packet, and if the TCP connection data packet is determined to be an attack data packet, adding the IP address corresponding to the TCP connection data packet into the blacklist linked list. By adopting the method and device, the attack from a synchronous (SYN) packet can be prevented.
Description
Technical field
The present invention relates to communication technical field, particularly relate to the method and apparatus that one prevents synchronously (SYN, synchronous) packet attack.
Background technology
In transmission control protocol/Internet Protocol (TCP/IP, TransmissionControlProtocol/InternetProtocol) agreement, Transmission Control Protocol provides reliable Connection Service, adopts three-way handshake to set up a connection.
Suppose a client and have a station server to carry out communication, the process of three-way handshake is as follows:
First time shakes hands, and when connecting, client sends TCP bag (flag SYN=j) to server, and enters SYN_SEND state, and now client waiting for server confirms that this TCP wraps;
Second handshake, server receives TCP bag, must confirm the SYN (ack=j+1) of client, oneself also sends TCP bag (syn=k) simultaneously, i.e. SYN+ACK bag, and now server enters SYN_RECV state;
Third time shakes hands, and the TCP that client receives server comprises flag SYN+ACK, and send to server and confirm bag ACK (ack=k+1), this bag is sent, and client and server enters ESTABLISHED state, completes three-way handshake.
After above-mentioned three-way handshake completes, client just can carry out data communication with server, from three-way handshake step, if client does not send SYN+ACK bag when third time shakes hands, so server just can not receive this bag, in this case server end is generally understood retry and is again sent SYN+ACK to client and abandon this connection do not completed after waiting for a period of time, length during this period of time we be called SYNTimeout, in general this time order of magnitude (being approximately 30 seconds-2 minutes) of being minute, now can take certain system resource in waiting process, if all cannot receive from the SYN+ACK bag of multiple port, so multiple thread will to be in etc. to be connected, such system resource may be finally depleted, occur crashing or system reboot situation, this attack is SYNflood and attacks, visible SYN packet attack is exactly make use of third time that ICP/IP protocol TCP connects leak of shaking hands to implement server attack.
If certain machine externally provides some application service as server in Intranet, when without fire compartment wall, from the main frame under a large amount of SYN packet attack routers of outside, if main frame part performance is unexcellent, light then cause regular traffic not work, main frame may be caused time serious to delay machine or network paralysis.
In prior art, solution on the router directly performs the order of some restrictions SYN bag number at user's space by iptables order line, but, if detect that reaching threshold values just loses user data, and to the leeway that user misoperation is not revised.
Summary of the invention
In order to solve the problems of the technologies described above, the invention provides a kind of method and apparatus preventing sync packet from attacking, can prevent the Intranet equipment of current router from suffering SYN packet attack, effective ensure that Intranet equipment causes device resource to exhaust and delay machine and network paralysis due to SYN packet attack.
The invention provides a kind of method preventing sync packet from attacking, comprising: in advance at kernel registration Hook Function, establishment tracking and monitoring chained list and blacklist chained list, and sync packet threshold values is set and heavily examines interval time; Utilize Hook Function resolve user end to server send TCP connection packet, wherein client and server first time shake hands send out TCP connection packet be synchronization packets; When the quantity of the synchronization packets from same IP address reaches sync packet threshold values, described IP address is added in tracking and monitoring chained list, the TCP connection packet of the follow-up transmission of client corresponding to described IP address is followed the tracks of; The TCP connection packet of following the tracks of is resolved, if determine that described TCP connection packet is Attacking Packets, then IP address corresponding for described TCP connection packet is added in blacklist chained list.
Further, described tracking and monitoring chained list comprises IP address field and TCP connection packet field; The length of described tracking and monitoring chained list is the number of the IP address of wanting tracing detection.
Further, described blacklist chained list comprises IP address field and blacklist flag field; When described blacklist flag is the first value, represent that described IP address forever adds blacklist chained list, the TCP connection packet that client corresponding to described IP address sends directly abandons; When described blacklist flag is the second value, represent that described IP address is heavily examined interval time inherence and added blacklist chained list, the TCP connection data that client corresponding to described IP address sends wraps in heavily to be examined in interval time and cannot be sent to server.
Further, described sync packet threshold values represents the maximum quantity of permission per second from the synchronization packets of same IP address; After described heavy inspection to represent that IP address adds blacklist chained list by first time interval time, second time detects that synchronization packets reaches the time of sync packet threshold values.
Further, described method also comprises: the quantity of being added up synchronization packets per second by Jiffes variable difference; Be 0 by this Jiffies initialization of variable during startup, when each Hook Function carries out resolving interrupt handling routine to synchronization packets, increase the value of Jiffies variable.
Further, described TCP connection packet comprises sequence field and confirms field; The described TCP connection packet step of resolving to following the tracks of comprises: according to sequence field with confirm field, resolves the TCP connection packet of following the tracks of.
Further, described according to sequence field and confirmation field, the step that the TCP connection packet of following the tracks of is resolved is comprised: when the first time of client and server shakes hands, intercept and capture the TCP connection packet that user end to server sends, obtain the sequential value of a TCP connection packet, be set to X, wherein X is integer; One TCP connection packet is let pass and is sent to server; When the second handshake of client and server, Intercept and capture service device returns the 2nd TCP connection packet as response to client, and obtain the verification value of the 2nd TCP connection packet, the verification value of described 2nd TCP connection packet is X+1; Obtain the sequential value of the 2nd TCP connection packet, be set to Y, wherein Y is integer.
Further, described method also comprises: to judge in Preset Time whether client and server carries out third time and shake hands; If intercept the 3rd TCP connection packet that user end to server sends, obtain the 3rd TCP connection packet sequential value, the sequential value of described 3rd TCP connection packet is Y+1, then determine that client is not attack client; If do not intercept the 3rd TCP connection packet that user end to server sends, and intercept a TCP connection packet of carrying out shaking hands for the first time, then determine that client attacks client, the TCP connection packet that described attack client sends is Attacking Packets.
Further, determine that if described described TCP connection packet is Attacking Packets, then, after IP address corresponding for described TCP connection packet being added in blacklist chained list, also comprise: blacklist flag corresponding for described IP address is set to the second value; Heavily examine in interval time at described interval, if intercept the TCP connection packet that user end to server sends, judge that the IP address of described client is whether in blacklist chained list; If described IP address is in blacklist chained list, then described TCP connection packet is abandoned.
Further, described method comprises well: after interval time is heavily examined in described interval, again adds up the quantity of synchronization packets per second corresponding to described IP address; If the quantity of synchronization packets reaches sync packet threshold value, then blacklist flag corresponding for described IP address is set to the first value; If the quantity of synchronization packets does not reach sync packet threshold value, then described IP address is deleted from blacklist chained list.
Present invention also offers a kind of device preventing sync packet from attacking, comprising: module is set, for registering Hook Function at kernel, create tracking and monitoring chained list and blacklist chained list in advance, and sync packet threshold values is set and heavily examines interval time; First processing module, for utilize Hook Function resolve user end to server send TCP connection packet, wherein client and server first time shake hands send out TCP connection packet be synchronization packets; Second processing module, for when the quantity of the synchronization packets from same IP address reaches sync packet threshold values, adds in tracking and monitoring chained list by described IP address, follows the tracks of the TCP connection packet of the follow-up transmission of client corresponding to described IP address; 3rd processing module, for resolving the TCP connection packet of following the tracks of, if determine that described TCP connection packet is Attacking Packets, then adds to IP address corresponding for described TCP connection packet in blacklist chained list.
Further, described tracking and monitoring chained list comprises IP address field and TCP connection packet field; The length of described tracking and monitoring chained list is the number of the IP address of wanting tracing detection; Described blacklist chained list comprises IP address field and blacklist flag field; When described blacklist flag is the first value, represent that described IP address forever adds blacklist chained list, the TCP connection packet that client corresponding to described IP address sends directly abandons; When described blacklist flag is the second value, represent that described IP address is heavily examined interval time inherence and added blacklist chained list, the TCP connection data that client corresponding to described IP address sends wraps in heavily to be examined in interval time and cannot be sent to server.
Further, described sync packet threshold values represents the maximum quantity of permission per second from the synchronization packets of same IP address; After described heavy inspection to represent that IP address adds blacklist chained list by first time interval time, second time detects that synchronization packets reaches the time of sync packet threshold values.
Further, described TCP connection packet comprises sequence field and confirms field; Second processing module, specifically for: when the first time of client and server shakes hands, intercept and capture the TCP connection packet that user end to server sends, obtain the sequential value of a TCP connection packet, be set to X, wherein X is integer; One TCP connection packet is let pass and is sent to server; When the second handshake of client and server, Intercept and capture service device returns the 2nd TCP connection packet as response to client, and obtain the verification value of the 2nd TCP connection packet, the verification value of described 2nd TCP connection packet is X+1; Obtain the sequential value of the 2nd TCP connection packet, be set to Y, wherein Y is integer; To judge in Preset Time whether client and server carries out third time and shake hands; If intercept the 3rd TCP connection packet that user end to server sends, obtain the 3rd TCP connection packet sequential value, the sequential value of described 3rd TCP connection packet is Y+1, then determine that client is not attack client; If do not intercept the 3rd TCP connection packet that user end to server sends, and intercept a TCP connection packet of carrying out shaking hands for the first time, then determine that client attacks client, the TCP connection packet that described attack client sends is Attacking Packets.
Further, described 3rd processing module, also for: blacklist flag corresponding for described IP address is set to the second value; Heavily examine in interval time at described interval, if intercept the TCP connection packet that user end to server sends, judge that the IP address of described client is whether in blacklist chained list; If described IP address is in blacklist chained list, then described TCP connection packet is abandoned.
Further, described 3rd processing module, also for: after interval time is heavily examined in described interval, again add up the quantity of synchronization packets per second corresponding to described IP address; If the quantity of synchronization packets reaches sync packet threshold value, then blacklist flag corresponding for described IP address is set to the first value; If the quantity of synchronization packets does not reach sync packet threshold value, then described IP address is deleted from blacklist chained list.
Be compared to prior art, provided by the invention under network bridge mode anti-SYN packet attack scheme, can prevent current router Intranet equipment from exempting from SYN packet attack to a certain extent, effective ensure that Intranet equipment causes device resource to exhaust and delay machine and network paralysis due to SYN packet attack.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme in the embodiment of the present application, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the application, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings, wherein:
Fig. 1 is the schematic flow sheet of the method preventing sync packet from attacking provided by the invention.
Fig. 2 is the structural representation of the device preventing sync packet from attacking provided by the invention.
Embodiment
The technical problem solved to make the application, technical scheme and beneficial effect are clearly understood, below in conjunction with drawings and Examples, are further elaborated to the application.Should be appreciated that specific embodiment described herein only in order to explain the application, and be not used in restriction the application.
Under the present invention utilizes network bridge mode, router embedded Linux system forwards characteristic, proposes one and prevents SYN packet attack scheme.
Embodiment one:
Fig. 1 is the schematic flow sheet of the method preventing sync packet from attacking provided by the invention.As shown in Figure 1, method of the present invention comprises:
Step 101, in advance at kernel registration hook (HOOK) function, creates tracking and monitoring chained list and blacklist chained list, and arranges SYN bag threshold parameter and heavily examine interval time parameter.
Carry out the present invention is based on netfilter framework.Netfilter is linux kernel fire compartment wall framework, this framework is not only succinct but also flexible, the many functions in security strategy application can be realized, as Packet Filtering, processing data packets, address camouflage, Transparent Proxy, dynamic network address conversion (NAT, NetworkAddressTranslation), and control the filtration of (MAC, MediaAccessControl) address and the filtration, packet rate restriction etc. based on state based on user and media interviews.
Particularly, netfilter placed some test points in some positions of the whole flow through a network of linux kernel, and on each test point, have registered HOOK function process, such as packet filtering etc., or user-defined function.
The HOOK function of IP layer comprises several below:
NF_IP_PRE_ROUTING, has just entered the packet of network layer by this point, and destination address conversion is carried out in this checkpoint;
NF_IP_LOCAL_IN: after route querying, be sent to the machine by this checkpoint, INPUT packet filtering is carried out in this checkpoint;
NF_IP_FORWARD: forward bag by this test point, forwards packet filtering and carries out in this checkpoint;
NF_IP_POST_ROUTING: all bags will gone out by the network equipment are by this test point, and built-in source address translation function is carried out in this checkpoint;
NF_IP_LOCAL_OUT: sending of local processes is wrapped by this test point, sends packet filtering and carries out in this checkpoint.
In a particular embodiment of the present invention, tracking and monitoring chained list comprises IP address field and TCP connection packet field, and the length of tracking and monitoring chained list is the number of the IP address of wanting tracing detection.Usually according to server hardware performance, performance preferably server can arrange longer chained list length.
Blacklist chained list comprises IP address field and blacklist flag field, and blacklist flag can adopt numeric representation, and such as 0 represents that this IP address forever adds blacklist, can not remove; 1 represents that the packet that this IP address sends is prohibited to be forwarded to server within a period of time.
In a particular embodiment of the present invention, SYN bag threshold values represents the maximum quantity of permission per second from the synchronization packets of same IP address.Heavily examine interval time represent first time IP address is added blacklist chained list after, second time detect that synchronization packets reaches the time of sync packet threshold values.
Step 102, utilize HOOK function resolve user end to server send TCP connection packet, wherein client and server first time shake hands send out TCP connection packet be SYN packet.
In a particular embodiment of the present invention, in TCP three-way handshake, the TCP connection packet sent out of shaking hands is SYN packet with SYN flag first time, router intercepts and captures the TCP connection packet that user end to server sends, and utilizes HOOK function to resolve TCP connection packet.
Step 103, when the quantity of the SYN packet from same IP address reaches SYN bag threshold values, adds to the TCP connection packet of follow-up for client corresponding for this IP address transmission in tracking and monitoring chained list.
In a particular embodiment of the present invention, kernel tackles the TCP connection packet forwarded by router, and carry out counting statistics for the TCP connection packet of this IP address, add up the quantity from the SYN packet with flag SYN of same IP address, after statistics, packet is directly let pass.
The quantity of SYN packet per second is added up by Jiffes variable difference.This Jiffies variable is used to the sum recording the beat produced since system starts, and during startup, this Jiffies initialization of variable is 0 by kernel, and after this each clock interrupt handling routine all can increase the value of this Jiffies variable.
If from the quantity of the SYN packet of same IP address more than SYN bag threshold values, the TCP connection packet that the client being then temporarily considered as this IP address sends is invalid data bag, therefore, when the SYN data packet number from same IP address reaches SYN bag threshold values, the TCP connection packet of follow-up for client corresponding for this IP address transmission is added in tracking and monitoring chained list and follows the tracks of.
Step 104, resolves the TCP connection packet in tracking and monitoring chained list, if determine that this TCP connection packet is Attacking Packets, is then added in blacklist chained list IP address corresponding for this TCP connection packet.
In a particular embodiment of the present invention, TCP connection packet comprises sequence (SEQ) field and confirmation (ACK) field, SEQ and ACK according to TCP connection packet in tracking and monitoring chained list resolves this TCP connection packet.
Particularly, when the first time of client and server shakes hands, router intercepts and captures a TCP connection packet, obtains SEQ value, is assumed to be X; One TCP connection packet is let pass and is sent to server; When the second handshake of client and server, server returns the 2nd TCP connection packet as response to client, and router intercepts and captures the 2nd TCP connection packet, obtains ACK value and judges whether ACK value is X+1; Obtain the SEQ value in the TCP connection packet of response, be assumed to be Y; If client is not attack client, then can send the 3rd TCP connection packet to server and carry out third time and shake hands, the SEQ value in the 3rd TCP connection packet should be Y+1; If do not receive the TCP connection packet that client sends within the time of setting, namely client can not send the packet of shaking hands for the third time, server is allowed to be in semi-connection state consumption of natural resource all the time, constantly send the packet of shaking hands for the first time on the contrary, then determine that this TCP connection packet is Attacking Packets, then add in blacklist chained list by IP address corresponding for this TCP connection packet, blacklist flag corresponding for IP address is set to 1, and after this packet of this IP directly abandons.
Step 105, after super-interval heavily examines interval time, adds up the SYN data packet number that this IP address is corresponding again, if SYN data packet number reaches SYN bag threshold value, is then permanently stored in blacklist chained list by this IP address; If SYN data packet number does not reach SYN bag threshold value, then this IP address is deleted from blacklist chained list.
In a particular embodiment of the present invention, time limit interval time is heavily examined at interval after IP address is added blacklist chained list by first time, when the TCP connection packet of client enters HOOK function, inquiry blacklist chained list, if there is the IP address of this client, then directly abandon this TCP connection packet.
After super-interval heavily examines interval time, when the TCP connection packet of client enters HOOK function, no longer inquire about blacklist chained list, again add up the SYN data packet number that this IP address is corresponding, and the TCP again counting this IP address from 0 connects SYN bag number, so, to the chance that user once corrects, can prevent the user misoperation of client (such as crash, power-off causes not sending third time handshake data bag) from causing attacking and forever be added blacklist chained list and affect regular traffic data.If the SYN packet of net client reaches threshold values again, then illustrate it is that real SYN packet is attacked, change being labeled as of this IP address into 0, represent any packet forever abandoned from this client.
Embodiment two:
Present invention also offers a kind of device preventing sync packet from attacking, as shown in Figure 2, comprising: module 201, first processing module 202, second processing module 203 and the 3rd processing module 204 are set, wherein,
Module 201 is set, for registering Hook Function at kernel, create tracking and monitoring chained list and blacklist chained list in advance, and sync packet threshold values is set and heavily examines interval time;
Particularly, tracking and monitoring chained list comprises IP address field and TCP connection packet field; The length of tracking and monitoring chained list is the number of the IP address of wanting tracing detection.
Blacklist chained list comprises IP address field and blacklist flag field; When blacklist flag is the first value, represent that described IP address forever adds blacklist chained list, the TCP connection packet that client corresponding to described IP address sends directly abandons; When blacklist flag is the second value, represent that described IP address is heavily examined interval time inherence and added blacklist chained list, the TCP connection data that client corresponding to described IP address sends wraps in heavily to be examined in interval time and cannot be sent to server.
Sync packet threshold values represents the maximum quantity of permission per second from the synchronization packets of same IP address; Heavily examine interval time represent first time IP address is added blacklist chained list after, second time detect that synchronization packets reaches the time of sync packet threshold values.
First processing module 202, for utilize Hook Function resolve user end to server send TCP connection packet, wherein client and server first time shake hands send out TCP connection packet be synchronization packets;
Second processing module 203, for when the quantity of the synchronization packets from same IP address reaches sync packet threshold values, described IP address is added in tracking and monitoring chained list, the TCP connection packet of the follow-up transmission of client corresponding to described IP address is followed the tracks of;
Particularly, TCP connection packet comprises sequence field and confirms field; Second processing module, when the first time of client and server shakes hands, intercepts and captures the TCP connection packet that user end to server sends, and obtain the sequential value of a TCP connection packet, be set to X, wherein X is integer; One TCP connection packet is let pass and is sent to server; When the second handshake of client and server, Intercept and capture service device returns the 2nd TCP connection packet as response to client, and obtain the verification value of the 2nd TCP connection packet, the verification value of described 2nd TCP connection packet is X+1; Obtain the sequential value of the 2nd TCP connection packet, be set to Y, wherein Y is integer; To judge in Preset Time whether client and server carries out third time and shake hands; If intercept the 3rd TCP connection packet that user end to server sends, obtain the 3rd TCP connection packet sequential value, the sequential value of described 3rd TCP connection packet is Y+1, then determine that client is not attack client; If do not intercept the 3rd TCP connection packet that user end to server sends, and intercept a TCP connection packet of carrying out shaking hands for the first time, then determine that client attacks client, the TCP connection packet that described attack client sends is Attacking Packets.
3rd processing module 204, for resolving the TCP connection packet of following the tracks of, if determine that described TCP connection packet is Attacking Packets, then adds to IP address corresponding for described TCP connection packet in blacklist chained list.
Particularly, blacklist flag corresponding for described IP address is set to the second value by the 3rd processing module; Heavily examine in interval time at described interval, if intercept the TCP connection packet that user end to server sends, judge that the IP address of described client is whether in blacklist chained list; If described IP address is in blacklist chained list, then described TCP connection packet is abandoned.
3rd processing module, after interval time is heavily examined in described interval, adds up the quantity of synchronization packets per second corresponding to described IP address again; If the quantity of synchronization packets reaches sync packet threshold value, then blacklist flag corresponding for described IP address is set to the first value; If the quantity of synchronization packets does not reach sync packet threshold value, then described IP address is deleted from blacklist chained list.
Person of ordinary skill in the field is understood that all or part of step realizing said method embodiment can have been come by the hardware that program command is relevant, aforesaid program can be stored in computer read/write memory medium, and performed by the processor of communication apparatus inside, aforesaid program processor when being performed can perform all or part of step comprising said method embodiment.Wherein, described processor can be implemented as one or more processor chips, or can be a part for one or more application-specific integrated circuit (ASIC) (ApplicationSpecificIntegratedCircuit, ASIC); And aforesaid storage medium can include but not limited to the storage medium with Types Below: flash memory (FlashMemory), read-only memory (Read-OnlyMemory, ROM), random access memory (RandomAccessMemory, RAM), portable hard drive, magnetic disc or CD etc. various can be program code stored medium.
Last it is noted that above embodiment is only in order to illustrate the technical scheme of the application, be not intended to limit; Although with reference to previous embodiment to present application has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein portion of techniques feature; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of each embodiment technical scheme of the application.
Claims (16)
1. the method preventing sync packet from attacking, is characterized in that, comprising:
In advance at kernel registration Hook Function, establishment tracking and monitoring chained list and blacklist chained list, and sync packet threshold values is set and heavily examines interval time;
Utilize Hook Function resolve user end to server send TCP connection packet, wherein client and server first time shake hands send out TCP connection packet be synchronization packets;
When the quantity of the synchronization packets from same IP address reaches sync packet threshold values, described IP address is added in tracking and monitoring chained list, the TCP connection packet of the follow-up transmission of client corresponding to described IP address is followed the tracks of;
The TCP connection packet of following the tracks of is resolved, if determine that described TCP connection packet is Attacking Packets, then IP address corresponding for described TCP connection packet is added in blacklist chained list.
2. the method preventing sync packet from attacking as claimed in claim 1, is characterized in that, described tracking and monitoring chained list comprises IP address field and TCP connection packet field; The length of described tracking and monitoring chained list is the number of the IP address of wanting tracing detection.
3. the method preventing sync packet from attacking as claimed in claim 1, is characterized in that, described blacklist chained list comprises IP address field and blacklist flag field;
When described blacklist flag is the first value, represent that described IP address forever adds blacklist chained list, the TCP connection packet that client corresponding to described IP address sends directly abandons; When described blacklist flag is the second value, represent that described IP address is heavily examined interval time inherence and added blacklist chained list, the TCP connection data that client corresponding to described IP address sends wraps in heavily to be examined in interval time and cannot be sent to server.
4. the method preventing sync packet from attacking as claimed in claim 1, is characterized in that, described sync packet threshold values represents the maximum quantity of permission per second from the synchronization packets of same IP address;
After described heavy inspection to represent that IP address adds blacklist chained list by first time interval time, second time detects that synchronization packets reaches the time of sync packet threshold values.
5. the method preventing sync packet from attacking as claimed in claim 1, is characterized in that, described method also comprises:
The quantity of synchronization packets per second is added up by Jiffes variable difference;
Be 0 by this Jiffies initialization of variable during startup, when each Hook Function carries out resolving interrupt handling routine to synchronization packets, increase the value of Jiffies variable.
6. the method preventing sync packet from attacking as claimed in claim 1, is characterized in that, described TCP connection packet comprises sequence field and confirms field;
The described TCP connection packet step of resolving to following the tracks of comprises:
According to sequence field and confirmation field, the TCP connection packet of following the tracks of is resolved.
7. the method preventing sync packet from attacking as claimed in claim 6, is characterized in that, described according to sequence field and confirmation field, comprises the step that the TCP connection packet of following the tracks of is resolved:
When the first time of client and server shakes hands, intercept and capture the TCP connection packet that user end to server sends, obtain the sequential value of a TCP connection packet, be set to X, wherein X is integer; One TCP connection packet is let pass and is sent to server;
When the second handshake of client and server, Intercept and capture service device returns the 2nd TCP connection packet as response to client, and obtain the verification value of the 2nd TCP connection packet, the verification value of described 2nd TCP connection packet is X+1; Obtain the sequential value of the 2nd TCP connection packet, be set to Y, wherein Y is integer.
8. the method preventing sync packet from attacking as claimed in claim 7, is characterized in that, described method also comprises:
To judge in Preset Time whether client and server carries out third time and shake hands;
If intercept the 3rd TCP connection packet that user end to server sends, obtain the 3rd TCP connection packet sequential value, the sequential value of described 3rd TCP connection packet is Y+1, then determine that client is not attack client;
If do not intercept the 3rd TCP connection packet that user end to server sends, and intercept a TCP connection packet of carrying out shaking hands for the first time, then determine that client attacks client, the TCP connection packet that described attack client sends is Attacking Packets.
9. the method preventing sync packet from attacking as claimed in claim 3, is characterized in that, determines that described TCP connection packet is Attacking Packets if described, then, after adding in blacklist chained list by IP address corresponding for described TCP connection packet, also comprise:
Blacklist flag corresponding for described IP address is set to the second value;
Heavily examine in interval time at described interval, if intercept the TCP connection packet that user end to server sends, judge that the IP address of described client is whether in blacklist chained list;
If described IP address is in blacklist chained list, then described TCP connection packet is abandoned.
10. the method preventing sync packet from attacking as claimed in claim 9, is characterized in that, described method also comprises:
After interval time is heavily examined in described interval, again add up the quantity of synchronization packets per second corresponding to described IP address;
If the quantity of synchronization packets reaches sync packet threshold value, then blacklist flag corresponding for described IP address is set to the first value;
If the quantity of synchronization packets does not reach sync packet threshold value, then described IP address is deleted from blacklist chained list.
11. 1 kinds of devices preventing sync packet from attacking, is characterized in that, described in comprise:
Module is set, for registering Hook Function at kernel, create tracking and monitoring chained list and blacklist chained list in advance, and sync packet threshold values is set and heavily examines interval time;
First processing module, for utilize Hook Function resolve user end to server send TCP connection packet, wherein client and server first time shake hands send out TCP connection packet be synchronization packets;
Second processing module, for when the quantity of the synchronization packets from same IP address reaches sync packet threshold values, adds in tracking and monitoring chained list by described IP address, follows the tracks of the TCP connection packet of the follow-up transmission of client corresponding to described IP address;
3rd processing module, for resolving the TCP connection packet of following the tracks of, if determine that described TCP connection packet is Attacking Packets, then adds to IP address corresponding for described TCP connection packet in blacklist chained list.
12. devices preventing sync packet from attacking as claimed in claim 11, is characterized in that, described tracking and monitoring chained list comprises IP address field and TCP connection packet field; The length of described tracking and monitoring chained list is the number of the IP address of wanting tracing detection;
Described blacklist chained list comprises IP address field and blacklist flag field; When described blacklist flag is the first value, represent that described IP address forever adds blacklist chained list, the TCP connection packet that client corresponding to described IP address sends directly abandons; When described blacklist flag is the second value, represent that described IP address is heavily examined interval time inherence and added blacklist chained list, the TCP connection data that client corresponding to described IP address sends wraps in heavily to be examined in interval time and cannot be sent to server.
13. devices preventing sync packet from attacking as claimed in claim 11, is characterized in that, described sync packet threshold values represents the maximum quantity of permission per second from the synchronization packets of same IP address; After described heavy inspection to represent that IP address adds blacklist chained list by first time interval time, second time detects that synchronization packets reaches the time of sync packet threshold values.
14. devices preventing sync packet from attacking as claimed in claim 11, is characterized in that, described TCP connection packet comprises sequence field and confirms field;
Second processing module, specifically for:
When the first time of client and server shakes hands, intercept and capture the TCP connection packet that user end to server sends, obtain the sequential value of a TCP connection packet, be set to X, wherein X is integer; One TCP connection packet is let pass and is sent to server;
When the second handshake of client and server, Intercept and capture service device returns the 2nd TCP connection packet as response to client, and obtain the verification value of the 2nd TCP connection packet, the verification value of described 2nd TCP connection packet is X+1; Obtain the sequential value of the 2nd TCP connection packet, be set to Y, wherein Y is integer;
To judge in Preset Time whether client and server carries out third time and shake hands;
If intercept the 3rd TCP connection packet that user end to server sends, obtain the 3rd TCP connection packet sequential value, the sequential value of described 3rd TCP connection packet is Y+1, then determine that client is not attack client;
If do not intercept the 3rd TCP connection packet that user end to server sends, and intercept a TCP connection packet of carrying out shaking hands for the first time, then determine that client attacks client, the TCP connection packet that described attack client sends is Attacking Packets.
15. devices preventing sync packet from attacking as claimed in claim 12, is characterized in that, described 3rd processing module, also for: blacklist flag corresponding for described IP address is set to the second value; Heavily examine in interval time at described interval, if intercept the TCP connection packet that user end to server sends, judge that the IP address of described client is whether in blacklist chained list; If described IP address is in blacklist chained list, then described TCP connection packet is abandoned.
16. devices preventing sync packet from attacking as claimed in claim 15, is characterized in that, described 3rd processing module, also for: after interval time is heavily examined in described interval, again add up the quantity of synchronization packets per second corresponding to described IP address; If the quantity of synchronization packets reaches sync packet threshold value, then blacklist flag corresponding for described IP address is set to the first value; If the quantity of synchronization packets does not reach sync packet threshold value, then described IP address is deleted from blacklist chained list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510894043.3A CN105323259B (en) | 2015-12-07 | 2015-12-07 | A kind of method and apparatus preventing synchronous packet attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510894043.3A CN105323259B (en) | 2015-12-07 | 2015-12-07 | A kind of method and apparatus preventing synchronous packet attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105323259A true CN105323259A (en) | 2016-02-10 |
| CN105323259B CN105323259B (en) | 2018-07-31 |
Family
ID=55249854
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510894043.3A Active CN105323259B (en) | 2015-12-07 | 2015-12-07 | A kind of method and apparatus preventing synchronous packet attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105323259B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106131063A (en) * | 2016-08-23 | 2016-11-16 | 杭州华三通信技术有限公司 | A kind of network security processing method and device |
| CN106330911A (en) * | 2016-08-25 | 2017-01-11 | 广东睿江云计算股份有限公司 | CC (Challenge Collapsar) attack protection method and device |
| CN107948197A (en) * | 2017-12-26 | 2018-04-20 | 北京星河星云信息技术有限公司 | Defend the method and half-connection attack defending platform of half-connection attack |
| CN108833410A (en) * | 2018-06-19 | 2018-11-16 | 网宿科技股份有限公司 | A kind of means of defence and system for HTTP Flood attack |
| CN108848196A (en) * | 2018-09-25 | 2018-11-20 | 四川长虹电器股份有限公司 | A kind of method for monitoring communication service based on tcp connection number |
| CN109644203A (en) * | 2016-08-17 | 2019-04-16 | 微软技术许可有限责任公司 | It interrupts to the synchronous of the content between client device and storage service based on cloud |
| CN110620794A (en) * | 2019-10-31 | 2019-12-27 | 国网河北省电力有限公司电力科学研究院 | Method and device for preventing MAC address flooding attack |
| CN114944951A (en) * | 2022-05-18 | 2022-08-26 | 北京天融信网络安全技术有限公司 | Request processing method and device, mimicry equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020103916A1 (en) * | 2000-09-07 | 2002-08-01 | Benjie Chen | Thwarting connection-based denial of service attacks |
| CN101136917A (en) * | 2007-07-12 | 2008-03-05 | 中兴通讯股份有限公司 | Transmission control protocol blocking module and soft switch method |
| CN101175013A (en) * | 2006-11-03 | 2008-05-07 | 飞塔信息科技(北京)有限公司 | Method, network system and proxy server for preventing denial of service attack |
| US20080271146A1 (en) * | 2004-07-09 | 2008-10-30 | Rooney John G | Identifying a distributed denial of service (DDoS) attack within a network and defending against such an attack |
| CN101567812A (en) * | 2009-03-13 | 2009-10-28 | 华为技术有限公司 | Method and device for detecting network attack |
| CN101707539A (en) * | 2009-11-26 | 2010-05-12 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting worm virus and gateway equipment |
| CN103685294A (en) * | 2013-12-20 | 2014-03-26 | 北京奇虎科技有限公司 | Method and device for identifying attack sources of denial of service attack |
| CN104219215A (en) * | 2013-06-05 | 2014-12-17 | 深圳市腾讯计算机系统有限公司 | Method, device, terminal, server and system for establishment of TCP (transmission control protocol) connection |
-
2015
- 2015-12-07 CN CN201510894043.3A patent/CN105323259B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020103916A1 (en) * | 2000-09-07 | 2002-08-01 | Benjie Chen | Thwarting connection-based denial of service attacks |
| US20080271146A1 (en) * | 2004-07-09 | 2008-10-30 | Rooney John G | Identifying a distributed denial of service (DDoS) attack within a network and defending against such an attack |
| CN101175013A (en) * | 2006-11-03 | 2008-05-07 | 飞塔信息科技(北京)有限公司 | Method, network system and proxy server for preventing denial of service attack |
| CN101136917A (en) * | 2007-07-12 | 2008-03-05 | 中兴通讯股份有限公司 | Transmission control protocol blocking module and soft switch method |
| CN101567812A (en) * | 2009-03-13 | 2009-10-28 | 华为技术有限公司 | Method and device for detecting network attack |
| CN101707539A (en) * | 2009-11-26 | 2010-05-12 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting worm virus and gateway equipment |
| CN104219215A (en) * | 2013-06-05 | 2014-12-17 | 深圳市腾讯计算机系统有限公司 | Method, device, terminal, server and system for establishment of TCP (transmission control protocol) connection |
| CN103685294A (en) * | 2013-12-20 | 2014-03-26 | 北京奇虎科技有限公司 | Method and device for identifying attack sources of denial of service attack |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109644203A (en) * | 2016-08-17 | 2019-04-16 | 微软技术许可有限责任公司 | It interrupts to the synchronous of the content between client device and storage service based on cloud |
| CN106131063A (en) * | 2016-08-23 | 2016-11-16 | 杭州华三通信技术有限公司 | A kind of network security processing method and device |
| CN106131063B (en) * | 2016-08-23 | 2019-05-31 | 新华三技术有限公司 | A kind of network security processing method and device |
| CN106330911A (en) * | 2016-08-25 | 2017-01-11 | 广东睿江云计算股份有限公司 | CC (Challenge Collapsar) attack protection method and device |
| CN107948197A (en) * | 2017-12-26 | 2018-04-20 | 北京星河星云信息技术有限公司 | Defend the method and half-connection attack defending platform of half-connection attack |
| CN108833410A (en) * | 2018-06-19 | 2018-11-16 | 网宿科技股份有限公司 | A kind of means of defence and system for HTTP Flood attack |
| US11159562B2 (en) | 2018-06-19 | 2021-10-26 | Wangsu Science & Technology Co., Ltd. | Method and system for defending an HTTP flood attack |
| CN108848196A (en) * | 2018-09-25 | 2018-11-20 | 四川长虹电器股份有限公司 | A kind of method for monitoring communication service based on tcp connection number |
| CN110620794A (en) * | 2019-10-31 | 2019-12-27 | 国网河北省电力有限公司电力科学研究院 | Method and device for preventing MAC address flooding attack |
| CN114944951A (en) * | 2022-05-18 | 2022-08-26 | 北京天融信网络安全技术有限公司 | Request processing method and device, mimicry equipment and storage medium |
| CN114944951B (en) * | 2022-05-18 | 2024-02-06 | 北京天融信网络安全技术有限公司 | Request processing method and device, mimicry device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105323259B (en) | 2018-07-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105323259A (en) | Method and device for preventing synchronous packet attack | |
| Özçelik et al. | Software-defined edge defense against IoT-based DDoS | |
| US9491189B2 (en) | Revival and redirection of blocked connections for intention inspection in computer networks | |
| EP2570954B1 (en) | Method, device and system for preventing distributed denial of service attack in cloud system | |
| US8661522B2 (en) | Method and apparatus for probabilistic matching to authenticate hosts during distributed denial of service attack | |
| US20190075049A1 (en) | Determining Direction of Network Sessions | |
| CN105635084B (en) | Terminal authentication apparatus and method | |
| JP5009244B2 (en) | Malware detection system, malware detection method, and malware detection program | |
| WO2018032399A1 (en) | Server and method having high concurrency capability | |
| KR102451237B1 (en) | Security for container networks | |
| CN110266678B (en) | Security attack detection method and device, computer equipment and storage medium | |
| CN108881328B (en) | Data packet filtering method and device, gateway equipment and storage medium | |
| CN111800401B (en) | Service message protection method, device, system and computer equipment | |
| JP4373306B2 (en) | Method and apparatus for preventing distributed service denial attack against TCP server by TCP stateless hog | |
| CN110365658B (en) | Reflection attack protection and flow cleaning method, device, equipment and medium | |
| Gilad et al. | Off-path TCP injection attacks | |
| KR20230160938A (en) | Containerized application protection | |
| CN105634660A (en) | Data packet detection method and system | |
| CN110830434A (en) | Universal transparent proxy method | |
| CN107294877B (en) | TCP stream recombination method and device | |
| WO2015018200A1 (en) | Method and apparatus for upgrading detection engine in firewall device | |
| CN110198298B (en) | Information processing method, device and storage medium | |
| CN116723020A (en) | Network service simulation method and device, electronic equipment and storage medium | |
| KR101216581B1 (en) | Security system using dual os and method thereof | |
| Li et al. | Prospect for the future internet: A study based on TCP/IP vulnerabilities |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20201104 Address after: 318015 no.2-3167, zone a, Nonggang City, no.2388, Donghuan Avenue, Hongjia street, Jiaojiang District, Taizhou City, Zhejiang Province Patentee after: Taizhou Jiji Intellectual Property Operation Co.,Ltd. Address before: 201616 Shanghai city Songjiang District Sixian Road No. 3666 Patentee before: Phicomm (Shanghai) Co.,Ltd. |