CN105592055A - Anti-attack method and device for TCP SYN FLOOD - Google Patents
Anti-attack method and device for TCP SYN FLOOD Download PDFInfo
- Publication number
- CN105592055A CN105592055A CN201510598259.5A CN201510598259A CN105592055A CN 105592055 A CN105592055 A CN 105592055A CN 201510598259 A CN201510598259 A CN 201510598259A CN 105592055 A CN105592055 A CN 105592055A
- Authority
- CN
- China
- Prior art keywords
- message
- tcpsyn
- interface
- queue
- type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The present invention provides an anti-attack method and device for TCP SYN FLOOD. The technical scheme comprises: after detecting the attack of the TCP SYN FLOOD at an interface, the TCP SYN message received by the interface for identification is added to a detection array for identification, the normal TCP SYN message and the abnormal TCP SYN message are determined, the normal TCP SYN message is sent to a CPU for processing, and the abnormal TCP SYN message is abandoned. The anti-attack method and device for TCP SYN FLOOD are able to effectively defense the TCP SYN FLOOD attack.
Description
Technical field
The present invention relates to communication technical field, particularly a kind ofly attack for the anti-of TCPSYNFLOODHit method and apparatus.
Background technology
Border Gateway Protocol (BorderGatewayProtocol, BGP) neighborhood process of establishing is:Local router is first set up a TCP with neighbor router and is connected (TCP three-way handshake), if TCPConnection is successfully established, and BGP sends an OPEN message to neighbor router, and waits for neighbor routerThe OPEN message of sending; Receive after the OPEN message of neighbor router, check all words of this messageSection, if do not find mistake, sends KEEPALIVE message and starts to neighbor routerKEEPALIVE timer; Receive the KEEPALIVE message of neighbor router, local routerAnd neighborhood between neighbor router is set up.
Can find out, BGP has used the transmission means of TCP, therefore also can introduce asking of TCP aspectTopic, for example, TCPSYNFlood attacks. TCPSYNFlood is a kind of long-range denial of service (DenialOfService, DOS) attack pattern, utilize Transmission Control Protocol defect, send a large amount of TCP that forge and connectRequest, makes by attacker's resource exhaustion (CPU at full capacity or low memory).
Summary of the invention
In view of this, the object of the invention is to a kind of anti-attack method for TCPSYNFLOODAnd device, can effectively defend TCPSYNFLOOD to attack.
In order to achieve the above object, the invention provides following technical scheme:
For an anti-attack method of TCPSYNFLOOD, comprising:
After detecting that on interface TCPSYNFLOOD attacks, by the TCP receiving at this interfaceSYN message adds detection queue;
Detect the TCPSYN message of queue to adding and identify, determine normal TCPSYN message andAbnormal T CPSYN message, is transferred to normal TCPSYN message to send queue to hold from detection queueThe processing of row transmitted to CPU, and delete the abnormal T CPSYN message detecting in queue.
For an attack protection device of TCPSYNFLOOD, comprising: detecting unit, receiving element,Processing unit;
Described detecting unit, for detection of whether TCPSYNFLOOD attack has occurred on interface;
Described receiving element, after detecting on interface that for detection of unit TCPSYNFLOOD attacks,The TCPSYN message receiving at this interface is added to detection queue;
Described processing unit, detects the TCPSYN message of queue and identifies for adding, just determiningNormal TCPSYN message and abnormal T CPSYN message, by normal TCPSYN message from detecting queueBe transferred to and send queue to carry out transmitted to CPU processing, and delete the abnormal T CPSYN detecting in queueMessage.
For an attack protection device of TCPSYNFLOOD, comprising:
From technical scheme above, in the present invention, on interface, detect that TCPFLOOD attacksAfter, the TCPSYN message receiving is put into detection queue, to entering detection queue on this interfaceMessage identify and determine normal TCPSYN message and abnormal T CPSYN message, by normal TCPSYN message moves to and send queue to carry out transmitted to CPU processing, by abnormal T CPSYN message from detect teamIn row, delete. Due to only have normal TCPSYN message can on deliver to CPU and process, canGreatly reduce CPU processing pressure, thereby can effectively defend TCPSYNFLOOD to attack.
Brief description of the drawings
Fig. 1 is the anti-attack method flow chart of the embodiment of the present invention for TCPSYNFLOOD;
Fig. 2 is the structural representation of the embodiment of the present invention for the attack protection device of TCPSYNFLOODFigure.
Detailed description of the invention
In order to make object of the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing alsoAccording to embodiment, technical scheme of the present invention is elaborated.
Referring to Fig. 1, Fig. 1 is the anti-attack method stream of the embodiment of the present invention for TCPSYNFLOODCheng Tu, as shown in Figure 1, the method mainly comprises the following steps:
Step 101, under normal circumstances, while receiving TCPSYN message, by TCPSYN on interfaceMessage adds and send queue.
Here, normal condition refers to the situation that does not detect on interface that TCPSYNFLOOD attacks.
Under normal circumstances, all TCPSYN messages that receive on interface all enter and send queue,On send TCPSYN message in queue will by deliver to CPU and process, that is to say and enterThe TCPSYN message that send queue all can as normal message by deliver to CPU and process.
Step 102, on interface, detect that TCPSYNFLOOD attacks after, will receive at this interfaceTo TCPSYN message add detection queue;
In actual applications, above send queue to be provided with uploading rate thresholding, above send the uploading rate of queue notCan exceed uploading rate thresholding (how many messages per second). Under normal circumstances, due to TCPSYN reportLiterary composition is few, above send the uploading rate of queue can not exceed uploading rate thresholding. But, when occurring on interfaceWhen TCPSYNFLOOD attacks, impact interface by having a large amount of TCPSYN messages, cause a large amount ofTCPSYN message enters and send queue, above send the uploading rate of queue to be rapidly increased to exceed and send queueUploading rate thresholding.
Therefore, can judge whether at interface according to the uploading rate and the uploading rate thresholding that above send queueOn there is TCPSYNFLOOD attack, if on send the uploading rate of queue to exceed on default to giveSpeed thresholding, can determine TCPSYNFLOOD attack has occurred on interface, if on send queueUploading rate do not exceeded default uploading rate thresholding, can determine TCPSYN not occur on interfaceFLOOD attacks.
After detecting that on interface TCPSYNFLOOD attacks, the TCP receiving on interfaceSYN message no longer adds and send queue to carry out transmitted to CPU processing, detects queue and is just carrying out but addNormal message (non-attack message is also the TCPSYN message that validated user sends) and exception message (alsoBe the TCPSYN message that assailant forges) identification.
It should be noted that, in the present embodiment, on corresponding one of each interface, send queue and one to detect teamRow, the reception of TCPSYN message, add and send queue, detect queue and whether TCPSYN occursThe detection that FLOOD attacks is all for an interface.
Step 103, each type message that detects queue to adding are identified, and determine normal TCPSYNMessage and abnormal T CPSYN message, be transferred to normal TCPSYN message to send team from detection queueRow are to carry out transmitted to CPU processing, and deletion detects the abnormal T CPSYN message in queue.
In the present embodiment, will there is identical source IP address, source port, object IP address, destination interfaceTCPSYN message as the message of same type.
In actual applications, there is certain rule in the time interval that TCPSYN message retransmits, for example:Device first sends after TCPSYN message, if do not receive back message using, can interval after 2 seconds againSend TCPSYN message, if sent for the second time after TCPSYN message, do not receive yet back message using,Can within 4 seconds, again send TCPSYN message in interval, if sent for the third time after TCPSYN message,Do not receive yet back message using, can within 8 seconds, again send TCPSYN message in interval, until receive backAnswer message or transmission times to exceed the maximum retransmission of permission. Under normal circumstances, the maximum retransmit of permissionNumber of times is 3 times, and also there is certain rule in the time interval of re-transmission.
The feature retransmitting for above-mentioned TCPSYN message, the embodiment of the present invention provide to TCPSYNThe RM of message can comprise:
In the first default duration, the TCPSYN message detecting in queue is carried out to record, comprising: everyThe quantity of one type message, the last time of the type message, nearest twice reception the type of receivingThe time difference of message;
In the time that this first default duration finishes, sentence as follows according to the result that records to the type messageDisconnected:
If the quantity of the type message of record is 1, owing to only receiving the type message one time,Cannot determine that the type message is normal message or exception message according to number of retransmissions and retransmission time interval,Therefore wouldn't process the type message, only pre-at the next one first using the type message as message undeterminedIf carry out record in duration;
If the quantity of the type message of record is greater than 1 and be not more than default TCPSYN messageLarge number of retransmissions and the nearest time difference that receives the type message for twice meet default TCPSYN reportLiterary composition retransmission time interval, can determine that the type message meets the feature that TCPSYN message retransmits,Therefore be normal TCPSYN message;
If the result that records of the type message does not belong to above-mentioned two situations, the type report also recordingThe quantity of literary composition is greater than maximum retransmission, or the quantity of the type message of record is greater than 1 and notBe greater than default TCPSYN message maximum retransmission and nearest receive for twice the type message timeBetween poor do not meet default TCPSYN message retransmission time interval, can determine the type message notMeeting the feature that TCPSYN message retransmits, is abnormal T CPSYN message.
It should be noted that, due to limited storage space, at the TCPSYN message in detection queueWhile record, need to limit and record specification, a dominant record number is set, if exceed dominant recordNumber, no longer continues record, now can directly abandon detection queue and remain all TCP that are not yet recordedSYN message.
Because message transmissions exists time delay, therefore, the message that transmit leg interval X sends second, recipient is notNecessarily can receive message second by interval X, have certain error. Therefore, judging nearest twice receptionThe time difference of the type message, while whether meeting TCPSYN message retransmission time interval, needing to consider couldThe error of energy, retransmission time interval is set to a time period, for example,
Suppose that for the first time the time interval retransmitting is 2, can correspondence arrange a time period (2-△ t, 2+ △ t),In the time that the quantity of certain the type TCPSYN message receiving is 2, if nearest twice receives the typeThe time difference of message interval (2-△ t, 2+ △ t) in, can think that it meets TCPSYN message weightPass the time interval.
Suppose that retransmission time interval is 4 for the second time, can correspondence arrange a time period (4-△ t, 4+ △ t), whenThe quantity of certain the type TCPSYN message receiving is 3 o'clock, if nearest twice receives the type reportThe time difference of literary composition interval (4-△ t, 4+ △ t) in, can think that it meets TCPSYN message and retransmitsThe time interval.
Above-mentioned △ t can set in advance, and for example value 0.1 is a fine setting numerical value.
In the present embodiment, when identification is determined after normal TCPSYN message, if again receivedThe type message, can directly assert that the type message is normal TCPSYN message, does not therefore needAdd again detection queue to identify, send queue to process but directly add. For this reason, in identificationDetermine that a certain type message receiving is normal TCPSYN message on interface after, can also enter oneWalk at the upper and lower hair of this interface in the type message being added to an ACL who send queue, an ACLRule comprises source IP address, source port, object IP address, the destination interface of the type message. After thisIf receive again source IP address, source port, object IP address, destination in coupling the one ACLThe TCPSYN message of mouth, adds message to send queue.
In the present embodiment, when identification is determined after abnormal T CPSYN message, if again receive thisType message, can directly assert that the type message is abnormal T CPSYN message, does not therefore need againAdd detection queue to identify, but directly carry out discard processing. For this reason, determine at interface in identificationOn after a certain type message that receives is abnormal T CPSYN message, can also be further at this interfaceUpper and lower hair is in the 2nd ACL that abandons the type message, and the 2nd ACL comprises the source of the type messageIP address, source port, object IP address, destination interface. If after this receive again coupling this secondThe TCPSYN message of source IP address, source port, object IP address, destination interface in ACL,Abandon TCPSYN message.
For this reason, in step 102, after detecting that on interface TCPSYNFLOOD attacks, also needThe TCPSYN message receiving to be carried out to ACL coupling, if the TCPSYN message receivingMate an ACL, this TCPSYN message added and send queue to carry out transmitted to CPU processing,If the TCPSYN message receiving coupling the 2nd ACL, abandons this TCPSYN message, otherwise,The TCPSYN message receiving is added to detection queue.
In the present embodiment, under normal circumstances, the TCPSYN message receiving on interface is directly to addTo above sending queue, after detecting that on interface TCPSYNFLOOD attacks, will be on this interfaceReceive TCPSYN message and join and detect queue and carry out the identification of normal message and exception message, onlyNormal message is transferred to and send queue, thereby can effectively prevent TCPSYNFLOOD to attack.
And, after detecting that on interface TCPSYNFLOOD attacks, if assailant no longer carries outTCPSYN attacks at FLOOD, and the TCPSYN message that impacts this interface will greatly reduce,Now do not need again the TCPSYN message receiving to be joined to detection queue on interface, but recoverMessage handling process under normal circumstances: the TCPSYN message receiving on interface is added and sentQueue. In specific implementation, can calculate this interface and receive TCPSYN in the each first default durationThe speed of message, if this interface receives TCPSYN message in N continuous the first default durationSpeed is all less than default uploading rate thresholding, can by this interface, issue before this all firstACL, the 2nd ACL delete, meanwhile, and for all TCPSYN messages in current detection queue,Need to be transferred to and send queue to carry out transmitted to CPU processing from detection queue. Here, N is a preset value,Value can be a positive integer.
Wherein, calculate this interface and receive the speed of TCPSYN message in the each first default durationMethod has following two kinds:
The first: the TCPSYN message amount that this interface is received in this first default duration withThe business of the first default duration receives the speed of TCPSYN message in this first default duration as this interfaceRate.
The second: calculate in this first default duration, add the TCPSYN that detects queue and be recordedThe speed X1 of message, hit the TCPSYN message of an ACL speed X2, hit the 2nd ACLThe speed X3 of TCPSYN message, first default at this using X1, X2, X3 sum as this interfaceIn duration, receive the speed of TCPSYN message. Here, it should be noted that, due to firstIn one default duration, an ACL and the 2nd ACL are not yet set on interface, therefore, at firstWhen the first default duration finishes, the X2 calculating, the value of X3 are 0.
In the present embodiment, TCPSYN message is bgp protocol message, and application the present invention, can realizeTo the defence that in neighbours' process of establishing of BGP, contingent TCPSYNFLOOD attacks.
In the present embodiment, detecting queue can be by software control, also can be by hardware controls, preferably,In order to improve processing speed, detecting queue can be by hardware controls, and also detecting queue can be to use firmlyThe hardware queue that part is realized.
With a concrete example, the embodiment of the present invention shown in Fig. 1 is elaborated below.
Taking a certain interface on equipment as example:
Suppose that just the beginning and end run into TCPSYNFLOOD attack, the TCP entering from this interface to this interfaceSYN message be all sent to this interface corresponding on send the queue (above to send the message of the TCPSYN in queueWill by deliver to CPU and process), in this process, this interface corresponding on send queue on giveSpeed does not exceed default uploading rate thresholding.
Suppose a certain moment, assailant starts to forge a large amount of TCPSYN messages and sends on this interfaceTo carry out TCPSYNFLOOD attack, like this, this interface will receive a large amount of TCPSYN very soonMessage, these TCPSYN messages add this interface corresponding on send queue to cause its uploading rate rapidIncrease to and exceed default uploading rate thresholding, after this, by the TCPSYN message receiving at this interfaceAdd the detection queue that this interface is corresponding.
For entering the TCPSYN message that detects queue, every the first default duration (being assumed to be 3 seconds)A message identification is carried out in capital, supposes to enter in first default duration the TCPSYN that detects queueMessage comprises the TCPSYN message of following three types, and it records result as shown in Table 1:
Table one
Can know according to recording result,
Source IP address, object IP address, source port, destination interface be respectively 1.1.1.1,2.2.2.2,5000,5000 TCPSYN message, the message amount that statistics obtains in the first default duration is 1,Therefore can not determine that it is normal TCPSYN message or abnormal T CPSYN message, sets it as undeterminedMessage continues to participate in message identification and (in next first default duration, still remembers in the next first default durationRecord this message and identify according to recording result);
Source IP address, object IP address, source port, destination interface be respectively 1.1.1.2,2.2.2.2,6000,5000 TCPSYN message, the message amount that statistics obtains in the first default duration is 3,And the nearest time difference that receives message for twice is 4 seconds, obviously meet the feature that TCPSYN message retransmits,Therefore can be defined as normal TCPSYN message, now at the upper and lower hair of this interface in by the type reportLiterary composition add this interface corresponding on send an ACL of queue, after this receive the type report at this interface againWen Shi, just can according to coupling an ACL by message join this interface corresponding on send queue;
Source IP address, object IP address, source port, destination interface be respectively 1.1.1.3,2.2.2.2,7000,5000 TCPSYN message, the message amount that statistics obtains in the first default duration is 10,And the nearest time difference that receives message for twice is 0.2 second, no matter be message amount or nearest twice receptionThe time difference of message, does not obviously all meet the feature that TCPSYN message retransmits, and therefore can be defined asAbnormal T CPSYN message, now at the upper and lower hair of this interface in the 2nd ACL that abandons the type message,After this while receiving again the type message, just can be according to the 2nd ACL dropping packets of coupling.
In second first default duration, in the 3rd the first default duration ... n individual first is defaultMessage identifying in duration is identical (adjacent with the message identifying in first first default marketNot free interval between two first default durations).
If it is all little that this interface receives the speed of TCPSYN message in N continuous the first default durationIn default uploading rate thresholding, delete all ACL and the 2nd ACL that issue at this interface,And will be now (the default duration of N first finish after) detect all TCPSYN messages in queueBe transferred to and send queue to carry out transmitted to CPU processing. After this TCPSYN message receiving at this interface againTo be added into and send queue, until again detect on this interface that TCPSYNFLOOD attacks.
Above the embodiment of the present invention is carried out to detailed theory for the anti-attack method of TCPSYNFLOODBright, the present invention also provides a kind of attack protection device for TCPSYNFLOOD, below in conjunction with figure2 are elaborated.
Referring to Fig. 2, Fig. 2 is the attack protection device of the embodiment of the present invention for TCPSYNFLOODStructural representation, as shown in Figure 2, this device comprises: detecting unit 201, receiving element 202, processingUnit 203; Wherein,
Detecting unit 201, for detection of whether TCPSYNFLOOD attack has occurred on interface;
Receiving element 202, detects that for detection of unit 201 TCPSYNFLOOD attacks on interfaceAfter hitting, the TCPSYN message receiving at this interface is added to detection queue;
Processing unit 203, identifies for the TCPSYN message that detects queue to adding, and is just determiningNormal TCPSYN message and abnormal T CPSYN message, by normal TCPSYN message from detecting queueBe transferred to and send queue to carry out transmitted to CPU processing, and delete the abnormal T CPSYN detecting in queueMessage; Wherein, there is the TCPSYN of identical source IP address, source port, object IP address, destination interfaceMessage belongs to same type message.
In Fig. 2 shown device,
Described receiving element 202 detects TCPSYNFLOOD at detecting unit 201 on interfaceBefore attack, be further used for: the TCPSYN message receiving at this interface is added and send queueTo carry out transmitted to CPU processing;
Described detecting unit 201 detects when whether TCPSYNFLOOD occurs on interface attacking, for:If on send the uploading rate of queue to exceed default uploading rate thresholding, determine on this interface and occurredTCPSYNFLOOD attacks, otherwise, determine that on this interface, TCPSYNFLOOD not occurring attacks.
In Fig. 2 shown device,
Described processing unit 203 detects the TCPSYN message of queue and identifies to adding, just determiningNormal TCPSYN message and abnormal T CPSYN message, comprising:
In the first default duration, the TCPSYN message detecting in queue is carried out to record, comprising: everyThe quantity of one type message, the last time of the type message, nearest twice reception the type of receivingThe time difference of message;
When the described first default duration finishes, if the quantity of the type message of record is 1, shouldType message carries out record as message undetermined in the next first default duration; If such of recordThe quantity of type message is greater than 1 and be not more than default TCPSYN message maximum retransmission and recentlyThe time difference that receives the type message for twice meets default TCPSYN message retransmission time interval,Determine that the type message is normal TCPSYN message; If the quantity of the type message of record is greater thanDefault TCPSYN message maximum retransmission, or the quantity of the type message of record is greater than 1,And be not more than default TCPSYN message maximum retransmission and receive the type message nearest twiceTime difference do not meet default TCPSYN message retransmission time interval, determine the type message beAbnormal T CPSYN message; Wherein, there is identical source IP address, source port, object IP address, orderThe TCPSYN message of port belong to same type message.
In Fig. 2 shown device,
Described processing unit 203, after determining that the type message is normal TCPSYN message, further usesIn: issue an ACL at this interface, an ACL comprises: the source IP address of the type message,Source port, object IP address, destination interface;
Described processing unit 203, after determining that the type message is abnormal T CPSYN message, further usesIn: issue the 2nd ACL at this interface, the 2nd ACL comprises: the source IP address of the type message,Source port, object IP address, destination interface;
Described receiving element 202 detects TCPSYNFLOOD at detecting unit 201 on interfaceAfter attack, be further used for: if the TCPSYN message receiving at this interface meets an ACL,This TCPSYN message is added and send queue to carry out transmitted to CPU processing, if connect at this interfaceThe TCPSYN message of receiving meets the 2nd ACL, abandons this TCPSYN message, otherwise, will beThe TCPSYN message that this interface receives adds detection queue.
In Fig. 2 shown device,
Described processing unit 203 detects TCPSYNFLOOD at detecting unit 201 on interfaceAfter attack, be further used for: calculate this interface and receive TCPSYN in the each first default durationThe speed of message, if this interface receives TCPSYN message in N continuous the first default durationSpeed is all less than described default maximum uploading rate thresholding, deletes described the first acl rule and secondAcl rule, and all TCPSYN messages in current detection queue are transferred to and send queue to holdThe processing of row transmitted to CPU; Wherein, N is a preset value.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all at thisWithin the spirit and principle of invention, any amendment of making, be equal to replacement, improvement etc., all should be included inWithin the scope of protection of the invention.
Claims (10)
1. an anti-attack method of TCPSYNFLOOD, is characterized in that, the method comprises:
After detecting that on interface TCPSYNFLOOD attacks, by the TCPSYN receiving at this interfaceMessage adds detection queue;
Detect the TCPSYN message of queue to adding and identify, determine normal TCPSYN message and differentNormal TCPSYN message, is transferred to normal TCPSYN message to send queue with on carrying out from detection queueSend CPU to process, and delete the abnormal T CPSYN message detecting in queue.
2. method according to claim 1, is characterized in that,
Before detecting that on interface TCPSYNFLOOD attacks, further comprise: will connect at this interfaceThe TCPSYN message of receiving adds and send queue to carry out transmitted to CPU processing;
Detect whether on interface, occur TCPSYNFLOOD attack method be: if on send queueUploading rate exceedes default uploading rate thresholding, determines that on this interface, TCPSYNFLOOD having occurred attacksHit, otherwise, determine that on this interface, TCPSYNFLOOD not occurring attacks.
3. method according to claim 2, is characterized in that,
Detect the TCPSYN message of queue to adding and identify, determine normal TCPSYN message and differentNormal TCPSYN message, comprising:
In the first default duration, the TCPSYN message detecting in queue is carried out to record, comprising: each classThe quantity of type message, the last time that receives the type message, nearest the type message that receives for twiceTime difference;
When the described first default duration finishes, if the quantity of the type message of record is 1, by the typeMessage carries out record as message undetermined in the next first default duration; If the type message of recordQuantity be greater than 1 and be not more than default TCPSYN message maximum retransmission and nearest twice receptionThe time difference of the type message meets default TCPSYN message retransmission time interval, determines the type reportLiterary composition is normal TCPSYN message; If the quantity of the type message of record is greater than default TCPSYNMessage maximum retransmission, or the quantity of the type message of record is greater than 1 and be not more than default TCPSYN message maximum retransmission and the nearest time difference that receives the type message for twice do not meet defaultTCPSYN message retransmission time interval, determines that the type message is abnormal T CPSYN message;
Wherein, there is the TCPSYN of identical source IP address, source port, object IP address, destination interfaceMessage belongs to same type message.
4. method according to claim 3, is characterized in that,
After described definite the type message is normal TCPSYN message, further comprise: issue at this interfaceThe one ACL, an ACL comprises: the source IP address of the type message, source port, object IP address,Destination interface;
After described definite the type message is abnormal T CPSYN message, further comprise: issue at this interfaceThe 2nd ACL, the 2nd ACL comprises: the source IP address of the type message, source port, object IP address,Destination interface;
After detecting that on interface TCPSYNFLOOD attacks, further comprise: if at this interfaceThe TCPSYN message receiving meets an ACL, this TCPSYN message is added send queue withCarry out transmitted to CPU processing, if the TCPSYN message receiving at this interface meets the 2nd ACL,Abandon this TCPSYN message, otherwise, the TCPSYN message receiving at this interface is added and detects teamRow.
5. method according to claim 4, is characterized in that,
After detecting that on interface TCPSYNFLOOD attacks, further comprise: calculate this interface and existIn the each first default duration, receive the speed of TCPSYN message, if this interface is pre-in N continuous firstAll be less than described default maximum uploading rate thresholding if receive the speed of TCPSYN message in duration, deleteA described ACL and described the 2nd ACL, and all TCPSYN messages that detect in queue are transferred toOn send queue to carry out transmitted to CPU processing; Wherein, N is a preset value.
6. for an attack protection device of TCPSYNFLOOD, it is characterized in that, this device comprises:Detecting unit, receiving element, processing unit;
Described detecting unit, for detection of whether TCPSYNFLOOD attack has occurred on interface;
Described receiving element, after detecting on interface that for detection of unit TCPSYNFLOOD attacks,The TCPSYN message receiving at this interface is added to detection queue;
Described processing unit, detects the TCPSYN message of queue and identifies for adding, determine normal TCPSYN message and abnormal T CPSYN message, be transferred to normal TCPSYN message to send from detection queueQueue is to carry out transmitted to CPU processing, and deletion detects the abnormal T CPSYN message in queue.
7. device according to claim 6, is characterized in that,
Described receiving element, before detecting on interface that at detecting unit TCPSYNFLOOD attacks,Be further used for: the TCPSYN message receiving at this interface is added and send queue to carry out transmitted to CPUProcess;
While whether there is TCPSYNFLOOD attack on described detecting unit detection interface, for: ifOn send the uploading rate of queue to exceed default uploading rate thresholding, determine on this interface TCPSYN occurredFLOOD attacks, otherwise, determine that on this interface, TCPSYNFLOOD not occurring attacks.
8. install according to claim 7, it is characterized in that,
Described processing unit detects the TCPSYN message of queue and identifies to adding, determine normal TCPSYN message and abnormal T CPSYN message, comprising:
In the first default duration, the TCPSYN message detecting in queue is carried out to record, comprising: each classThe quantity of type message, the last time that receives the type message, nearest the type message that receives for twiceTime difference;
When the described first default duration finishes, if the quantity of the type message of record is 1, by the typeMessage carries out record as message undetermined in the next first default duration; If the type message of recordQuantity be greater than 1 and be not more than default TCPSYN message maximum retransmission and nearest twice receptionThe time difference of the type message meets default TCPSYN message retransmission time interval, determines the type reportLiterary composition is normal TCPSYN message; If the quantity of the type message of record is greater than default TCPSYNMessage maximum retransmission, or the quantity of the type message of record is greater than 1 and be not more than default TCPSYN message maximum retransmission and the nearest time difference that receives the type message for twice do not meet defaultTCPSYN message retransmission time interval, determines that the type message is abnormal T CPSYN message; Wherein,The TCPSYN message with identical source IP address, source port, object IP address, destination interface belongs to sameOne type message.
9. device according to claim 8, is characterized in that,
Described processing unit, after determining that the type message is normal TCPSYN message, is further used for:This interface issues an ACL, and an ACL comprises: the source IP address of the type message, source port,Object IP address, destination interface;
Described processing unit, after determining that the type message is abnormal T CPSYN message, is further used for:This interface issues the 2nd ACL, and the 2nd ACL comprises: the source IP address of the type message, source port,Object IP address, destination interface;
Described receiving element, after detecting on interface that at detecting unit TCPSYNFLOOD attacks,Be further used for: if the TCPSYN message receiving at this interface meets an ACL, by this TCPSYN message adds and send queue to carry out transmitted to CPU processing, if the TCPSYN receiving at this interfaceMessage meets the second acl rule, abandons this TCPSYN message, otherwise, will receive at this interfaceTCPSYN message add detection queue.
10. device according to claim 9, is characterized in that,
Described processing unit, after detecting on interface that at detecting unit TCPSYNFLOOD attacks,Be further used for: calculate this interface and preset each first the speed that receives TCPSYN message in duration, asThe speed that this interface of fruit receives TCPSYN message in N continuous the first default duration is all less than described defaultMaximum uploading rate thresholding, delete a described ACL and the 2nd ACL, and by current detection queueAll TCPSYN messages are transferred to and send queue to carry out transmitted to CPU processing; Wherein, N is one defaultValue.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510598259.5A CN105592055A (en) | 2015-09-18 | 2015-09-18 | Anti-attack method and device for TCP SYN FLOOD |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510598259.5A CN105592055A (en) | 2015-09-18 | 2015-09-18 | Anti-attack method and device for TCP SYN FLOOD |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105592055A true CN105592055A (en) | 2016-05-18 |
Family
ID=55931272
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510598259.5A Pending CN105592055A (en) | 2015-09-18 | 2015-09-18 | Anti-attack method and device for TCP SYN FLOOD |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105592055A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108566344A (en) * | 2018-03-19 | 2018-09-21 | 新华三技术有限公司 | A kind of message processing method and device |
| CN109873835A (en) * | 2019-03-29 | 2019-06-11 | 北京经纬恒润科技有限公司 | A kind of message handling system and method |
| WO2021151300A1 (en) * | 2020-05-15 | 2021-08-05 | 平安科技(深圳)有限公司 | Secure network attack processing method and apparatus, computer device, and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101136917A (en) * | 2007-07-12 | 2008-03-05 | 中兴通讯股份有限公司 | Transmission control protocol blocking module and soft switch method |
| CN101505218A (en) * | 2009-03-18 | 2009-08-12 | 杭州华三通信技术有限公司 | Detection method and apparatus for attack packet |
| US7929442B2 (en) * | 2004-06-30 | 2011-04-19 | Intel Corporation | Method, system, and program for managing congestion in a network controller |
| CN102487339A (en) * | 2010-12-01 | 2012-06-06 | 中兴通讯股份有限公司 | Attack preventing method for network equipment and device |
-
2015
- 2015-09-18 CN CN201510598259.5A patent/CN105592055A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7929442B2 (en) * | 2004-06-30 | 2011-04-19 | Intel Corporation | Method, system, and program for managing congestion in a network controller |
| CN101136917A (en) * | 2007-07-12 | 2008-03-05 | 中兴通讯股份有限公司 | Transmission control protocol blocking module and soft switch method |
| CN101505218A (en) * | 2009-03-18 | 2009-08-12 | 杭州华三通信技术有限公司 | Detection method and apparatus for attack packet |
| CN102487339A (en) * | 2010-12-01 | 2012-06-06 | 中兴通讯股份有限公司 | Attack preventing method for network equipment and device |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108566344A (en) * | 2018-03-19 | 2018-09-21 | 新华三技术有限公司 | A kind of message processing method and device |
| CN109873835A (en) * | 2019-03-29 | 2019-06-11 | 北京经纬恒润科技有限公司 | A kind of message handling system and method |
| CN109873835B (en) * | 2019-03-29 | 2021-03-23 | 北京经纬恒润科技股份有限公司 | Message processing system and method |
| WO2021151300A1 (en) * | 2020-05-15 | 2021-08-05 | 平安科技(深圳)有限公司 | Secure network attack processing method and apparatus, computer device, and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101442020B1 (en) | Method and apparatus for preventing transmission control protocol flooding attacks | |
| CN107438066B (en) | DoS/DDoS attack defense module and method based on SDN controller | |
| CN1505308A (en) | Protection against denial of service attacks | |
| CN101594359A (en) | Defence synchronous flood attack method of transmission control protocol and transmission control protocol proxy | |
| CN105516080A (en) | Processing method, apparatus, and system for TCP connection | |
| CN105812318B (en) | For preventing method, controller and the system of attack in a network | |
| CN106685930A (en) | Transmission control protocol option processing method and apparatus | |
| Natarajan et al. | Resource-misuse attack detection in delay-tolerant networks | |
| CN100420197C (en) | Method for guarding against attack realized for networked devices | |
| CN105610852A (en) | Method and device for processing ACK (Acknowledgement) flooding attack | |
| WO2016177131A1 (en) | Method, apparatus, and system for preventing dos attacks | |
| CN105592055A (en) | Anti-attack method and device for TCP SYN FLOOD | |
| CN109587167A (en) | A kind of method and apparatus of Message processing | |
| Maheshwari et al. | Defending network system against IP spoofing based distributed DoS attacks using DPHCF-RTT packet filtering technique | |
| CN106961414B (en) | Honeypot-based data processing method, device and system | |
| CN106453373A (en) | Efficient SYN Flood attack identification and disposal method | |
| CN101299765B (en) | Method for defending against DDOS attack | |
| CN101883054B (en) | Multicast message processing method and device and equipment | |
| CN104506559B (en) | DDoS defense system and method based on Android system | |
| Luo et al. | The NewShrew attack: A new type of low-rate TCP-Targeted DoS attack | |
| Zhu et al. | Research and survey of low-rate denial of service attacks | |
| Yang et al. | Modeling and mitigating the coremelt attack | |
| CN109347810B (en) | Method and device for processing message | |
| CN102075535A (en) | Distributed denial-of-service attack filter method and system for application layer | |
| CN104202297B (en) | A kind of anti-attack method and equipment adapting dynamically to server performance |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160518 |