CN107395632A - SYN Flood means of defences, device, cleaning equipment and medium - Google Patents

SYN Flood means of defences, device, cleaning equipment and medium Download PDF

Info

Publication number
CN107395632A
CN107395632A CN201710741489.1A CN201710741489A CN107395632A CN 107395632 A CN107395632 A CN 107395632A CN 201710741489 A CN201710741489 A CN 201710741489A CN 107395632 A CN107395632 A CN 107395632A
Authority
CN
China
Prior art keywords
terminal
messages
syn
list
sent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710741489.1A
Other languages
Chinese (zh)
Other versions
CN107395632B (en
Inventor
赵跃明
叶晓虎
何坤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Beijing NSFocus Information Security Technology Co Ltd filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201710741489.1A priority Critical patent/CN107395632B/en
Publication of CN107395632A publication Critical patent/CN107395632A/en
Application granted granted Critical
Publication of CN107395632B publication Critical patent/CN107395632B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/12Arrangements for detecting or preventing errors in the information received by using return channel
    • H04L1/16Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
    • H04L1/1607Details of the supervisory signal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses means of defence, device, cleaning equipment and the storage medium of a kind of SYN Flood attacks, methods described includes:The SYN messages that receiving terminal is sent, judge trust list or limit the information that terminal whether is recorded in list;If not, abandoning SYN messages, ACK probe messages are sent to terminal;Judge whether to receive RST messages, if it is, the information of terminal is added in trust list, if not, adding the information of terminal in list is limited.Due in embodiments of the present invention, trust list and limitation list are preserved in cleaning equipment, if terminal is not recorded in any of the above-described list, ACK probe messages are sent to the terminal, ACK probe messages will not destroy the terminal and the Transmission Control Protocol of server connects, whether RST messages are sent according to terminal, it is determined that terminal is added into which list.SYN messages are dropped, and without taking resource, improve the treatment effeciency of cleaning equipment.

Description

SYN Flood means of defences, device, cleaning equipment and medium
Technical field
The present invention relates to field of network communication safety, more particularly to a kind of synchronous extensive (synchronize Flood, SYN Flood) means of defence, device, cleaning equipment and the storage medium of attack.
Background technology
Transmission control protocol (Transmission Control Protocol, TCP) is established by three-way handshake process to be connected Connect, three-way handshake process is as follows:
1st, terminal to server sends synchronization (synchronize, a SYN) message, and the SYN messages can indicate terminal The port used and the initial sequence number of Transmission Control Protocol connection;
2nd, server sends a confirmation of synchronization corresponding with SYN messages after SYN messages are received to terminal (synchronize+acknowledgement, SYN+ACK) message, SYN+ACK messages represent that the connection request of terminal is connect By, while the serial number initial sequence number of Transmission Control Protocol connection adds 1 automatically;
3rd, terminal to server sends a confirmation ACK message, and equally, the sequence number of Transmission Control Protocol connection is increased by one.
Some exception handlings are provided with during three-way handshake.If server does not receive terminal transmission ACK messages, it (synchronize Receive, the SYN_RECV) state to be confirmed such as can be constantly in, and server can be by end The IP information at end adds waiting list, and server is sent to terminal again according to the IP information of the terminal recorded in waiting list SYN+ACK messages.If server may proceed to send SYN+ to terminal again again without the ACK messages for receiving terminal transmission ACK messages, the number for sending SYN+ACK messages to terminal again are generally 3-5 times, and spacing of about 30 seconds or so polls are once etc. Treat list.On the other hand, after it have issued SYN+ACK messages, the Transmission Control Protocol connection that will can be established in advance distributes server Resource, this resource can retain always when server is under SYN_RECV states.But because server resource is limited, it is in After the resource of distribution when under SYN_RECV states reaches certain threshold value, server just no longer receives new SYN messages, also It is that the new Transmission Control Protocol connection of refusal is established.
SYN Flood attacks are exactly that make use of the above-mentioned exception handling set in three-way handshake process, reach and attack Hit the purpose of server.Attacker pretends substantial amounts of IP address and sends SYN messages to server, because the IP address of forgery is not deposited Also ACK messages would not returned to server.Therefore, server will maintain a huge waiting list, ceaselessly weigh Try to send SYN+ACK messages, while take substantial amounts of resource not discharging.More it is essential that being in by attack server The resource distributed when under SYN_RECV states just no longer receives new SYN messages after reaching certain threshold value, and validated user can not Complete three-way handshake and set up Transmission Control Protocol connection.
The method protected in the prior art SYN Flood attacks is as follows:
Scheme one:
Fig. 1 is the schematic diagram that this programme is protected SYN Flood attacks, and cleaning equipment receives the SYN that terminal is sent After message, first normal SYN+ACK messages are responded to terminal instead of server.If receiving the ACK messages of terminal response, recognize Pass through checking for the Transmission Control Protocol connection request.Cleaning equipment sends same SYN messages to server again, and by holding three times Hand is established Transmission Control Protocol with server and is connected.
The problem of this programme is present be:Cleaning equipment needs the sequence number of each message in recording conversation in the program, for Message between subsequent terminal and server, cleaning equipment need do test serial number amendment one by one and recalculate verification with, Barrier propterty is very low, and cleaning equipment can only connect and be deployed in network, and limitation is very big.
Scheme two:
Fig. 2 is the schematic diagram that this programme is protected SYN Flood attacks, and cleaning equipment receives the SYN that terminal is sent After message, the SYN+ACK messages of simply sequence number mistake corresponding with SYN messages are first responded to terminal instead of server.If receive Replacement (RESET, RST) message responded to terminal, then it is assumed that the Transmission Control Protocol connection request passes through checking.In certain time, clearly After washing the SYN messages that equipment receives terminal repeating transmission, directly forwarded to server, Transmission Control Protocol is established between terminal and server Connection.After Transmission Control Protocol connection is established, cleaning equipment directly forwards the message of the SS later, message is not handled.
Problem be present in this programme:Cleaning equipment replaces server to respond simply sequence number corresponding with SYN messages to terminal The SYN+ACK messages of mistake, terminal and the Transmission Control Protocol connection status of server can be deliberately destroyed, according to entangling for terminal protocol stack Positive ability identifies whether it is legal terminal, could be with service if terminal is legal, it is necessary to terminal actively initiates connection again Device establishes Transmission Control Protocol connection.But find in actual applications, part terminal will not be led after Transmission Control Protocol connection status is disconnected Dynamic to send SYN messages again, it is necessary to which user is restarted manually, therefore the unattended terminal in part is understood and cisco unity malfunction, lead Cause service disconnection, poor user experience, satisfaction are low.
The content of the invention
The embodiments of the invention provide a kind of means of defence of SYN Flood attacks, device, cleaning equipment and storage to be situated between Matter, to solve in the prior art when protecting SYN Flood attacks, to exist due to destroying terminal and server Transmission Control Protocol connection status, causes service disconnection, the problem of influenceing Consumer's Experience, and cleaning equipment be present and record each message Sequence number, for the message that is transmitted between subsequent terminal and server, it is necessary to do test serial number amendment one by one and recalculate school Test and, the problem of causing cleaning equipment barrier propterty pressure big.
The embodiments of the invention provide a kind of means of defence of SYN Flood attacks, applied to cleaning equipment, this method bag Include:
The SYN messages that receiving terminal is sent, judge the trust list of itself preservation or limit whether recorded in list State the information of terminal;
If record has the information of the terminal in trust list, the SYN messages are forwarded to server, if limitation Record has the information of the terminal in list, abandons the SYN messages;
Otherwise, the SYN messages are abandoned, the confirmation ACK probe messages for meeting specified conditions are sent to the terminal;Judge Whether replacement RST error correction message that the terminal send is received, if it is, adding the terminal in the trust list Information, if not, adding the information of the terminal in the limitation list.
Further, sending sequence number with acknowledged sequence number in the ACK probe messages for meeting specified conditions is random value.
Further, the letter of the terminal whether is recorded in the trust list for judging itself to preserve or limitation list Before breath, methods described also includes:
The present flow rate of the server is obtained, judges whether the present flow rate is more than default flow threshold, if It is, it is determined that SYN Flood attacks be present, to carry out subsequent step.
Further, the second source IP of the ACK probe messages for meeting specified conditions, the IP of the second mesh, the second source Mouth and the second destination interface are respectively IP, the first source IP, the first destination interface and the first source of the first mesh in the SYN messages Port.
Further, it is described to judge whether that receiving the RST error correction messages that the terminal is sent includes:
Judge the RST error correction messages that the terminal is sent whether are received in setting time length.
On the other hand, the embodiments of the invention provide a kind of protector of synchronous extensive SYN Flood attacks, the dress Put including:
Judge module is received, the SYN messages sent for receiving terminal, judges the trust list or limitation row itself preserved Whether the information of the terminal is recorded in table;
First processing module, if there is the information of the terminal for record in trust list, the SYN messages are forwarded To server, if record has the information of the terminal in limitation list, the SYN messages are abandoned;
Second processing module, for abandoning the SYN messages, the confirmation ACK for meeting specified conditions is sent to the terminal Probe messages;Judge whether to receive the replacement RST error correction messages that the terminal is sent, if it is, in the trust list The information of the terminal is added, if not, adding the information of the terminal in the limitation list.
Further, the transmission in the ACK probe messages for meeting specified conditions that the Second processing module is sent Sequence number and acknowledged sequence number are random value.
Further, described device also includes:
Judge module is obtained, for obtaining the present flow rate of the server, it is pre- to judge whether the present flow rate is more than If flow threshold, if it is, determine exist SYN Flood attack, triggering receive judge module.
Further, the second source of the ACK probe messages for meeting specified conditions that the Second processing module is sent IP, the IP of the second mesh, the second source port and the second destination interface are respectively the IP of the first mesh in the SYN messages, the first source IP, the first destination interface and the first source port.
Further, the Second processing module, it is described specifically for judging whether to receive in setting time length The RST error correction messages that terminal is sent.
The embodiments of the invention provide a kind of cleaning equipment, including processor, communication interface, memory and communication bus, Wherein, processor, communication interface, memory complete mutual communication by communication bus;
Memory, for depositing computer program;
Processor, during for performing the program deposited on memory, realize the method and step described in any of the above-described.
The embodiments of the invention provide a kind of computer-readable recording medium, the computer-readable recording medium memory storage There is computer program, the computer program realizes the method and step described in any of the above-described when being executed by processor.
The embodiments of the invention provide a kind of means of defence of SYN Flood attacks, device, cleaning equipment and storage to be situated between Matter, methods described include:Receiving terminal send SYN messages, judge itself preserve trust list or limitation list in whether Record has the information of the terminal;If record has the information of the terminal in trust list, the SYN messages are forwarded to clothes Business device, if record has the information of the terminal in limitation list, abandon the SYN messages;Otherwise, the SYN messages are abandoned, The confirmation ACK probe messages for meeting specified conditions are sent to the terminal;Judge whether to receive the replacement that the terminal is sent RST error correction messages, if it is, the information of the terminal is added in the trust list, if not, in the limitation list Add the information of the terminal.Due to preserving trust list and limitation list in embodiments of the present invention, in cleaning equipment, because This can be directed to the SYN messages that the terminal being recorded in different lists is sent and carry out respective handling, if terminal is not recorded in State in either list, send ACK probe messages to terminal, ACK probe messages will not destroy the terminal and the TCP of server is assisted Discuss connection status, in addition because ACK probe messages be an exception message for terminal, according to terminal whether to cleaning equipment hair RST error correction messages are sent, it is determined which list is terminal be added in.Simultaneously as the SYN messages received are dropped, therefore The resource of cleaning equipment need not be taken, effectively increases the treatment effeciency of cleaning equipment.
Brief description of the drawings
Technical scheme in order to illustrate the embodiments of the present invention more clearly, make required in being described below to embodiment Accompanying drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for this For the those of ordinary skill in field, on the premise of not paying creative work, other can also be obtained according to these accompanying drawings Accompanying drawing.
Fig. 1 is a kind of schematic diagram protected SYN Flood attacks of the prior art;
Fig. 2 is another schematic diagram protected SYN Flood attacks of the prior art;
Fig. 3 is the protection process schematic diagram for the SYN Flood attacks that the embodiment of the present invention 1 provides;
Fig. 4 is the protection process schematic diagram for the SYN Flood attacks that the embodiment of the present invention 3 provides;
Fig. 5 is a kind of cleaning equipment schematic diagram that the embodiment of the present invention 6 provides;
Fig. 6 is the protective device structure schematic diagram of SYN Flood provided in an embodiment of the present invention attacks.
Embodiment
Below in conjunction with accompanying drawing, the present invention is described in further detail, it is clear that described embodiment is only this Invent a part of embodiment, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art exist The all other embodiment obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
Embodiment 1:
Fig. 3 is a kind of protection process schematic diagram of SYN Flood attack provided in an embodiment of the present invention, the process include with Lower step:
S101:The SYN messages that receiving terminal is sent, judge the trust list of itself preservation or limit whether recorded in list There is the information of the terminal.
The means of defence of SYN Flood attacks provided in an embodiment of the present invention is applied to cleaning equipment, is protected in cleaning equipment There are trust list and limitation list, the information for having terminal is recorded in trust list and limitation list.Cleaning equipment can be anti- The product of SYN Flood attacks, such as:The scientific and technological anti-mass service system with rejection of green alliance (NSFOCUS Anti-DDoS System, NSFOCUS ADS) or there is the equipment such as the gateway of safeguard function, the terminal in the embodiment of the present invention can be in addition The equipment such as tablet personal computer, PC.
The SYN messages that cleaning equipment can be sent with receiving terminal based on Transmission Control Protocol, according to SYN messages, can obtain terminal Information., therefore, can be with after the information of terminal is got due to preserving trust list and limitation list in cleaning equipment Judge in the trust list that itself is preserved or limit the information that terminal whether is recorded in list.The information of the specific terminal can To be the IP address information of terminal.
S102:If record has the information of the terminal in trust list, the SYN messages are forwarded to server, such as Record has the information of the terminal in fruit limitation list, abandons the SYN messages.
Terminal in the trust list preserved in cleaning equipment may be considered true terminal, i.e. terminal in trust list The SYN messages of transmission are considered the SYN messages that normal terminal is sent.The SYN messages that cleaning equipment receiving terminal is sent, according to After the information of SYN Receive message terminals, if it is determined that record has the information of terminal in trust list, then directly by SYN messages It is forwarded to server.
Terminal in the limitation list preserved in cleaning equipment may be considered false terminal, that is, limit the terminal in list The SYN messages of transmission are considered, the SYN messages that false terminal sends for attack server.Cleaning equipment receiving terminal is sent out The SYN messages sent, after the information of SYN Receive message terminals, if it is determined that record has the information of terminal in limitation list, SYN messages are then abandoned, so as to effectively be protected server.
S103:Otherwise, the SYN messages are abandoned, is sent to the terminal and meets that the confirmation ACK of specified conditions detects report Text;Judge whether to receive the replacement RST error correction messages that the terminal is sent, if it is, adding institute in the trust list The information of terminal is stated, if not, adding the information of the terminal in the limitation list.
The SYN messages that cleaning equipment receiving terminal is sent, after the information of SYN Receive message terminals, it is possible to sentence All without the information of record terminal in the disconnected trust list itself preserved and limitation list.Now, in order to prevent server Shield, and the SYN messages of normal users transmission are not influenceed to server, it is necessary to judge that terminal is that true terminal or falseness are whole End.
Because true terminal has complete protocol stack, meet Transmission Control Protocol when message transmissions are carried out, i.e., it is true whole After termination receives the message sent based on Transmission Control Protocol, response message can be sent;It is and false terminal is unsatisfactory for Transmission Control Protocol, i.e., empty Dummy terminal can not receive the message sent based on Transmission Control Protocol, would not also send response message.Therefore, can be according to terminal Whether Transmission Control Protocol is met, to determine that terminal is true terminal or false terminal.
In embodiments of the present invention, when SYN Flood attacks be present, attacker is easy to forge substantial amounts of false terminal hair Attack is played, therefore, terminal can take many resources of cleaning equipment to the SYN messages that cleaning equipment is sent, when SYN messages take The resource of cleaning equipment when reaching certain threshold value, the caching of cleaning equipment will exhaust, and influence the barrier propterty of cleaning equipment. In order to prevent the caching of cleaning equipment from exhausting, cleaning equipment is after the SYN messages of terminal transmission are received, if it is determined that itself is protected All without the information of record terminal in the trust list deposited or limitation list, then SYN messages are abandoned, then cleaning equipment is carried out eventually End is the judgement of true terminal or false terminal.
Specifically, cleaning equipment can be based on Transmission Control Protocol, probe messages are sent to terminal, in order to avoid destroy terminal with The Transmission Control Protocol connection status of server, it can be the ACK that cleaning equipment is constructed based on Transmission Control Protocol to send probe messages to terminal Probe messages, ACK probe messages are not SYN+ACK messages corresponding with the SYN messages of terminal transmission, and ACK probe messages are suitable An existing connection session between pseudo-terminal and server, therefore ACK probe messages will not destroy terminal and server Transmission Control Protocol connection status.
After cleaning equipment sends ACK probe messages to terminal, judge whether to receive the RST error correction messages of terminal transmission, If terminal is true terminal, terminal sends RST error correction messages, if terminal is false terminal, terminal to cleaning equipment RST error correction messages will not be sent to cleaning equipment.So if cleaning equipment receives RST error correction messages, then illustrate that terminal is True terminal.It is determined that terminal be true terminal after, the information of terminal can be added in trust list.Cleaning equipment is based on Transmission Control Protocol sends ACK probe messages to terminal, if not receiving the RST error correction messages of terminal transmission, illustrates terminal for void Dummy terminal.It is determined that terminal be false terminal after, the information of terminal can be added to limitation list in.
Although cleaning equipment is receiving the SYN messages of terminal transmission, the trust list or limitation row itself preserved is judged When in table all without the information of record terminal, SYN messages have been abandoned, server does not receive SYN messages, but because terminal does not have The SYN+ACK messages of expectation are received, and the ACK probe messages sent will not destroy terminal and the Transmission Control Protocol of server connects State, when terminal does not receive SYN+ACK messages corresponding with SYN messages in certain time, SYN messages can be sent again, its In, SYN messages and the SYN messages of cleaning equipment discarding that terminal is sent again are identicals, are connected in same Transmission Control Protocol Message in state.And cleaning equipment is by judging that terminal is true terminal or false terminal, by corresponding to the information of terminal It is added to trust list or limitation list, can be with according to letter when cleaning equipment receives the SYN messages that terminal is sent again Appoint list or limit the SYN messages progress respective handling that the information of terminal is sent to terminal whether is recorded in list.
Due to preserving trust list and limitation list in embodiments of the present invention, in cleaning equipment, therefore can be directed to The SYN messages that the terminal being recorded in different lists is sent carry out respective handling, if terminal is not recorded in any of the above-described list In, ACK probe messages are sent to terminal, ACK probe messages will not destroy the Transmission Control Protocol connection shape of the terminal and server State, in addition because ACK probe messages are an exception message for terminal, entangled according to whether terminal sends RST to cleaning equipment Text is misrepresented deliberately, it is determined which list is terminal be added in.Simultaneously as the SYN messages received are dropped, therefore need not account for With the resource of cleaning equipment, the treatment effeciency of cleaning equipment is effectively increased.Terminal and the Transmission Control Protocol connection status of server are not In the case of destroyed, after SYN messages are dropped, terminal does not receive the SYN+ACK of server transmission within a certain period of time During message, SYN messages can be sent again, and cleaning equipment can be directed to the SYN messages that the terminal being recorded in different lists is sent Carry out respective handling.Therefore when carrying out the protection of SYNFlood attacks, avoid because the TCP for destroying terminal and server is assisted Connection status is discussed, causes service disconnection, the problem of influenceing Consumer's Experience.
In addition, in embodiments of the present invention, cleaning equipment, will not be to terminal after the SYN messages of terminal transmission are received SYN+ACK messages are sent, but ACK probe messages are sent to terminal, thus establish TCP associations in the absence of terminal and cleaning equipment View connection, cleaning equipment and server establish the situation that Transmission Control Protocol connects, and also avoid cleaning equipment and record each message Sequence number, for the message between subsequent terminal and server, it is necessary to do test serial number amendment one by one and recalculate verification and The problem of, barrier propterty is improved, and cleaning equipment can both connect and be deployed in network, can also bypass and be deployed to network In, improve the flexibility of cleaning equipment deployment.
Embodiment 2:
On the basis of above-described embodiment, in embodiments of the present invention, in the ACK probe messages for meeting specified conditions To send sequence number with acknowledged sequence number be random value.
The sequence number of the message transmitted between terminal and server be it is related, such as terminal to server send SYN The serial number initial sequence number of message, server is after SYN messages are received, at the beginning of sending the serial number of SYN+ACK messages to terminal Beginning sequence number adds 1 automatically.In order to ensure that cleaning equipment does not influence to pass between terminal and server to the ACK probe messages that terminal is sent Defeated message, cleaning equipment construction ACK probe messages meet specific condition, i.e., in ACK probe messages sending sequence number and Acknowledged sequence number is arranged to random value, so can be to ensure terminal after ACK probe messages are received, it is believed that ACK probe messages For exception message, and abnormality processing is carried out, RST error correction messages are sent to cleaning equipment.
Embodiment 3:
Because the means of defence that this case provides is for SYN Flood attacks, before being protected, it can be determined that be It is no SYN Flood attacks to be present, it if it is determined that being attacked in the absence of SYN Flood, then need not be protected, only judge to deposit Attacked in SYN Flood, just need to protect SYN Flood attacks.In order to save the protection resource of cleaning equipment, upper On the basis of stating embodiment, in embodiments of the present invention, it is described judge itself preserve trust list or limitation list in whether Before record has the information of the terminal, methods described also includes:
The present flow rate of the server is obtained, judges whether the present flow rate is more than default flow threshold, if It is, it is determined that SYN Flood attacks be present, to carry out subsequent step.
After the SYN messages that cleaning equipment receiving terminal is sent, in the trust list or limitation list for judging that itself is preserved In whether record terminal information before, can be with it is first determined whether SYN Flood attacks be present, if it is determined that being not present SYN Flood are attacked, then need not judge the trust list of itself preservation or limit the information that terminal whether is recorded in list, The SYN messages that terminal is sent directly can be forwarded to server, and when judging to exist SYN Flood attacks, just needs pair SYN Flood attacks are protected.
When SYN Flood attacks be present, attacker can typically forge substantial amounts of false terminal-pair server and launch a offensive, this The present flow rate that sample may result in server is more than the flow that server when SYN Flood are attacked is not present.Therefore can basis The present flow rate of server determines whether there is SYN Flood attacks.
Specifically, cleaning equipment can obtain the present flow rate of server, and default stream is preserved in cleaning equipment Threshold value is measured, after the present flow rate for obtaining server, judges whether present flow rate is more than default flow threshold, if it is, really Surely SYN Flood attacks be present, it is necessary to protect SYN Flood attacks, the letter that itself is preserved is judged after cleaning equipment Appoint list or limit the information that terminal whether is recorded in list.If present flow rate is not more than default flow threshold, really Surely SYN Flood are not present to attack, it is not necessary to protect SYN Flood attacks, therefore cleaning equipment will directly can connect The SYN messages received are forwarded to server.
Fig. 4 is a kind of protection process schematic diagram of SYN Flood attack provided in an embodiment of the present invention, the process include with Lower step:
S201:The SYN messages that receiving terminal is sent, obtain the present flow rate of the server, judge the present flow rate Whether default flow threshold is more than, if it is, determining SYN Flood attacks be present.
S202:Judge the trust list of itself preservation or limit the information that the terminal whether is recorded in list.
S203:If record has the information of the terminal in trust list, the SYN messages are forwarded to server, such as Record has the information of the terminal in fruit limitation list, abandons the SYN messages.
S204:Otherwise, the SYN messages are abandoned, is sent to the terminal and meets that the confirmation ACK of specified conditions detects report Text;Judge whether to receive the replacement RST error correction messages that the terminal is sent, if it is, adding institute in the trust list The information of terminal is stated, if not, adding the information of the terminal in the limitation list.
S205:The SYN message identicals abandoned with cleaning equipment that receiving terminal is sent again, are assisted in same TCP The SYN messages in connection status are discussed, the trust list of itself preservation is judged or limits in list whether record the terminal Information, if record has the information of the terminal in trust list, the SYN messages that the terminal is sent again are forwarded to service Device, if record has the information of the terminal in limitation list, abandon the SYN messages that the terminal is sent again.
Due in embodiments of the present invention, whether end having been recorded in the trust list of itself preservation or limitation list is judged , can be according to the present flow rate of server before the information at end, it is determined whether SYN Flood attacks be present, when it is determined that SYN be present When Flood is attacked, then the step of subsequently protected, and when determining to be not present SYN Flood attacks, it will directly receive SYN messages are forwarded to server, therefore have saved the protection resource of cleaning equipment.
Embodiment 4:
If terminal has the components such as fire wall, the ACK probe messages that cleaning equipment is sent just can not pass through fire wall Deng the detection of component, ACK probe messages cannot also be transferred to terminal, accordingly even when being true terminal, because not receiving ACK Probe messages, RST error correction messages cannot be also sent, thus true terminal can be mistaken for false terminal, in order to prevent fires In the presence of the components such as wall, ACK probe messages that cleaning equipment sends can be ensured by the detections of the components such as fire wall, Terminal is transferred to, so as to ensure to determine that terminal is that true terminal or false terminal are more accurate, on the basis of the various embodiments described above On, in embodiments of the present invention, the second source IP of the ACK probe messages for meeting specified conditions, the IP of the second mesh, the second source Port and the second destination interface are respectively IP, the first source IP, the first destination interface and first of the first mesh in the SYN messages Source port.
Because terminal is to send SYN messages to server, therefore the first source IP in the SYN messages of terminal transmission is eventually The IP address at end, the first source port are the port of terminal, and the IP of the first mesh is the IP address of server, and the first destination interface is clothes The port of business device.And the source IP in the ACK probe messages that cleaning equipment is sent to terminal is generally the IP address of cleaning equipment, source Port is the port of cleaning equipment.So, IP and the first destination interface and the cleaning of the first mesh in the SYN messages that terminal is sent The source IP and source port for the ACK probe messages that equipment is sent are inconsistent.The components such as the fire wall of terminal may be prevented from cleaning equipment The ACK probe messages of transmission are transferred to terminal.
In order to ensure in the presence of the components such as fire wall, the ACK probe messages that cleaning equipment is sent can pass through The detection of the components such as fire wall, is transferred to terminal, and the ACK probe messages that cleaning equipment is sent meet specified conditions.At this In inventive embodiments, it can ensure that the ACK probe messages that cleaning equipment is sent pass through fire prevention by five-tuple exchange of values strategy The detection of the components such as wall, is transferred to terminal, specifically, after cleaning equipment receives the SYN messages of terminal transmission, obtains SYN reports IP, the first source IP, the first destination interface and the first source port of the first mesh in text, the IP of the first mesh in SYN messages, First source IP, the first destination interface and the first source port carry out the setting of ACK probe messages, by the second source IP in ACK messages The IP for the first mesh being arranged in SYN messages, the first purpose the second source port in ACK messages being arranged in SYN messages Port, the first source IP IP of the second mesh in ACK messages being arranged in SYN messages, by the second destination in ACK messages Mouth is arranged to the first source port in SYN messages.So, the IP and the first purpose of the first mesh in the SYN messages that terminal is sent Second source IP of the ACK probe messages that port is sent with cleaning equipment and the second source port are inconsistent, the SYN messages that terminal is sent In the first source IP and the first source port and the cleaning equipment IP and the second destination interface of the second mesh of ACK probe messages that send It is inconsistent.The ACK probe messages that the components such as the fire wall of terminal would not prevent cleaning equipment from sending are transferred to terminal.
Due in embodiments of the present invention, the second source IP of the ACK probe messages that cleaning equipment is sent, the IP of the second mesh, Second source port and the second destination interface are respectively IP, the first source IP, the first destination interface and of the first mesh in SYN messages One source port, therefore, in the case where terminal has fire wall, the component such as fire wall of terminal will not also prevent cleaning equipment from sending out The ACK probe messages sent are transferred to terminal, and then to determine that terminal is that true terminal or false terminal are more accurate.
Embodiment 5:
In order to improve the accuracy of terminal authenticity determination, on the basis of the various embodiments described above, in the embodiment of the present invention In, it is described to judge whether that receiving the RST error correction messages that the terminal is sent includes:
Judge the RST error correction messages that the terminal is sent whether are received in setting time length.
According to the rule of Transmission Control Protocol, cleaning equipment is based on Transmission Control Protocol, after sending ACK probe messages to terminal, terminal RST error correction messages can be sent to cleaning equipment, that is to say, that cleaning equipment can be in setting time length in setting time length Introversion receives the RST error correction messages of terminal transmission.If the RST error correction reports of terminal transmission are received in setting time length Text, then it is considered that terminal meets Transmission Control Protocol, hence, it can be determined that terminal is true terminal.If in setting time length Inside it is not received by the RST error correction messages of terminal transmission, then it is considered that terminal is unsatisfactory for Transmission Control Protocol, hence, it can be determined that Terminal is false terminal.
Specifically, can set a timer in cleaning equipment, be based on Transmission Control Protocol in cleaning equipment sends to terminal While ACK probe messages, start timer and start timing, and a length of setting time length during the timing of timer, clean Equipment judges the RST error correction messages of terminal transmission whether are received in the timing duration of timer, if received, it is determined that Terminal is true terminal, if not receiving the RST error correction messages of terminal transmission in the timing duration of timer, it is determined that eventually Hold as false terminal.In addition, setting time length can be slightly less than terminal sends the time interval of SYN messages again, for example, setting Length of fixing time can be 0.6 second, 0.8 second etc..
Embodiment 6:
A kind of cleaning equipment is additionally provided on the basis of the various embodiments described above, in the embodiment of the present invention, as shown in figure 5, Including:Processor 501, communication interface 502, memory 503 and communication bus 504, wherein, processor 501, communication interface 502, Memory 503 completes mutual communication by communication bus 504;
Computer program is stored with the memory 503, when described program is performed by the processor 501 so that The processor 501 performs following steps:
The SYN messages that receiving terminal is sent, judge the trust list of itself preservation or limit whether recorded in list State the information of terminal;
If record has the information of the terminal in trust list, the SYN messages are forwarded to server, if limitation Record has the information of the terminal in list, abandons the SYN messages;
Otherwise, the SYN messages are abandoned, the confirmation ACK probe messages for meeting specified conditions are sent to the terminal;Judge Whether replacement RST error correction message that the terminal send is received, if it is, adding the terminal in the trust list Information, if not, adding the information of the terminal in the limitation list.
Based on same inventive concept, a kind of cleaning equipment is additionally provided in the embodiment of the present invention, due to above-mentioned cleaning equipment The principle solved the problems, such as is similar to the means of defence that SYN Flood are attacked, therefore the implementation side of may refer to of above-mentioned cleaning equipment The implementation of method, repeat part and repeat no more.
Cleaning equipment provided in an embodiment of the present invention is specifically as follows the product of anti-SYN Flood attacks, such as:Lv Meng sections The anti-mass service system with rejection (NSFOCUS Anti-DDoS System, NSFOCUS ADS) of skill or there is safeguard function The equipment such as gateway, the terminal in the embodiment of the present invention can be the equipment such as tablet personal computer, PC in addition.
The communication bus that above-mentioned cleaning equipment is mentioned can be Peripheral Component Interconnect standard (Peripheral Component Interconnect, PCI) bus or EISA (Extended Industry Standard Architecture, EISA) bus etc..The communication bus can be divided into address bus, data/address bus, controlling bus etc..For just Only represented in expression, figure with a thick line, it is not intended that an only bus or a type of bus.
The communication that communication interface 502 is used between above-mentioned cleaning equipment and other equipment.
Memory 503 can include random access memory (Random Access Memory, RAM), can also include Nonvolatile memory (Non-Volatile Memory, NVM), for example, at least a magnetic disk storage.Alternatively, memory 503 can also be at least one storage device for being located remotely from aforementioned processor.
Above-mentioned processor 501 can be general processor, including central processing unit, network processing unit (Network Processor, NP) etc.;It can also be digital signal processor (Digital Signal Processing, DSP), special collection Into circuit, field programmable gate array either other PLDs, discrete gate or transistor logic, discrete hard Part component etc..
When processor 501 performs the program deposited on memory 503 in embodiments of the present invention, it can be directed to and be recorded in The SYN messages that terminal in different lists is sent carry out respective handling, if terminal is not recorded in any of the above-described list, to end End sends the ACK probe messages for meeting specified conditions, and ACK probe messages will not destroy the Transmission Control Protocol of the terminal and server Connection status, in addition because ACK probe messages be an exception message for terminal, according to terminal whether to cleaning equipment transmission RST error correction messages, it is determined which list is terminal be added in.Simultaneously as the SYN messages received are dropped, therefore nothing The resource of cleaning equipment need to be taken, effectively increases the treatment effeciency of cleaning equipment.
Embodiment 7:
On the basis of the various embodiments described above, the embodiment of the present invention additionally provides a kind of computer storage readable storage medium Matter, the computer-readable recording medium internal memory contains the computer program that can be performed by cleaning equipment, when described program is in institute State when being run on cleaning equipment so that the cleaning equipment realizes following steps when performing:
The SYN messages that receiving terminal is sent, judge the trust list of itself preservation or limit whether recorded in list State the information of terminal;
If record has the information of the terminal in trust list, the SYN messages are forwarded to server, if limitation Record has the information of the terminal in list, abandons the SYN messages;
Otherwise, the SYN messages are abandoned, the confirmation ACK probe messages for meeting specified conditions are sent to the terminal;Judge Whether replacement RST error correction message that the terminal send is received, if it is, adding the terminal in the trust list Information, if not, adding the information of the terminal in the limitation list.
Based on same inventive concept, a kind of computer-readable recording medium is additionally provided in the embodiment of the present invention, due to place Reason device solves the principle of problem and SYN Flood in the computer program stored on performing above computer readable storage medium storing program for executing The means of defence of attack is similar, therefore processor is in the reality for the computer program for performing the storage of above computer readable storage medium storing program for executing The implementation for the method for may refer to is applied, part is repeated and repeats no more.
Above computer readable storage medium storing program for executing can be any usable medium that the processor in cleaning equipment can access Or data storage device, including but not limited to magnetic storage such as floppy disk, hard disk, tape, magneto-optic disk (MO) etc., optical memory Such as CD, DVD, BD, HVD and semiconductor memory such as ROM, EPROM, EEPROM, nonvolatile memory (NAND FLASH), solid state hard disc (SSD) etc..
The computer-readable recording medium memory storage computer program provided in embodiments of the present invention, computer program quilt During computing device, the SYN messages that the terminal being recorded in different lists is sent can be directed to and carry out respective handling, if terminal It is not recorded in any of the above-described list, sends ACK probe messages to terminal, ACK probe messages will not destroy the terminal and clothes Be engaged in device Transmission Control Protocol connection status, in addition because ACK probe messages be an exception message for terminal, according to terminal whether RST error correction messages are sent to cleaning equipment, it is determined which list is terminal be added in.Simultaneously as the SYN messages received It is dropped, therefore the resource of cleaning equipment need not be taken, effectively increases the treatment effeciency of cleaning equipment.
The protective device structure schematic diagram that Fig. 6 attacks for SYN Flood provided in an embodiment of the present invention, described device bag Include:
Judge module 61 is received, the SYN messages sent for receiving terminal, judges trust list or the limitation itself preserved Whether the information of the terminal is recorded in list;
First processing module 62, if there is the information of the terminal for record in trust list, the SYN messages are turned Server is sent to, if record has the information of the terminal in limitation list, abandons the SYN messages;
Second processing module 63, for abandoning the SYN messages, the confirmation for meeting specified conditions is sent to the terminal ACK probe messages;Judge whether to receive the replacement RST error correction messages that the terminal is sent, if it is, in the trust list The information of the middle addition terminal, if not, adding the information of the terminal in the limitation list.
Sending sequence number in the ACK probe messages for meeting specified conditions that the Second processing module 63 is sent and really Recognize serial number random value.
Described device also includes:
Judge module 64 is obtained, for obtaining the present flow rate of the server, judges whether the present flow rate is more than Default flow threshold, if it is, determining SYN Flood attacks be present, triggering receives judge module 61.
Second source IP of the ACK probe messages for meeting specified conditions that the Second processing module 63 is sent, second Purpose IP, the second source port and the second destination interface are respectively the IP of the first mesh in the SYN messages, the first source IP, first Destination interface and the first source port.
The Second processing module 63, specifically for judging that the terminal whether is received in setting time length to be sent RST error correction messages.
The embodiments of the invention provide a kind of means of defence of SYN Flood attacks, device, cleaning equipment and storage to be situated between Matter, methods described include:Receiving terminal send SYN messages, judge itself preserve trust list or limitation list in whether Record has the information of the terminal;If record has the information of the terminal in trust list, the SYN messages are forwarded to clothes Business device, if record has the information of the terminal in limitation list, abandon the SYN messages;Otherwise, the SYN messages are abandoned, The confirmation ACK probe messages for meeting specified conditions are sent to the terminal;Judge whether to receive the replacement that the terminal is sent RST error correction messages, if it is, the information of the terminal is added in the trust list, if not, in the limitation list Add the information of the terminal.Due to preserving trust list and limitation list in embodiments of the present invention, in cleaning equipment, because This can be directed to the SYN messages that the terminal being recorded in different lists is sent and carry out respective handling, if terminal is not recorded in State in either list, send ACK probe messages to terminal, ACK probe messages will not destroy the terminal and the TCP of server is assisted Discuss connection status, in addition because ACK probe messages be an exception message for terminal, according to terminal whether to cleaning equipment hair RST error correction messages are sent, it is determined which list is terminal be added in.Simultaneously as the SYN messages received are dropped, therefore The resource of cleaning equipment need not be taken, effectively increases the treatment effeciency of cleaning equipment.
The present invention is the flow with reference to method according to embodiments of the present invention, equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that can be by every first-class in computer program instructions implementation process figure and/or block diagram Journey and/or the flow in square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided The processors of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce A raw machine so that produced by the instruction of computer or the computing device of other programmable data processing devices for real The device for the function of being specified in present one flow of flow chart or one square frame of multiple flows and/or block diagram or multiple square frames.
These computer program instructions, which may be alternatively stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory, which produces, to be included referring to Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one square frame of block diagram or The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that counted Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented processing, so as in computer or The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in individual square frame or multiple square frames.
Although preferred embodiments of the present invention have been described, but those skilled in the art once know basic creation Property concept, then can make other change and modification to these embodiments.So appended claims be intended to be construed to include it is excellent Select embodiment and fall into having altered and changing for the scope of the invention.
Obviously, those skilled in the art can carry out the essence of various changes and modification without departing from the present invention to the present invention God and scope.So, if these modifications and variations of the present invention belong to the scope of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to comprising including these changes and modification.

Claims (12)

1. a kind of means of defence of synchronous extensive SYN Flood attacks, it is characterised in that applied to cleaning equipment, methods described Including:
The SYN messages that receiving terminal is sent, judge the trust list of itself preservation or limit in list whether recorded the end The information at end;
If record has the information of the terminal in trust list, the SYN messages are forwarded to server, if limitation list It is middle to record the information for having the terminal, abandon the SYN messages;
Otherwise, the SYN messages are abandoned, the confirmation ACK probe messages for meeting specified conditions are sent to the terminal;Judge whether The replacement RST error correction messages that the terminal is sent are received, if it is, adding the letter of the terminal in the trust list Breath, if not, adding the information of the terminal in the limitation list.
2. the method as described in claim 1, it is characterised in that the transmission in the ACK probe messages for meeting specified conditions Sequence number and acknowledged sequence number are random value.
3. the method as described in claim 1, it is characterised in that in the trust list for judging itself to preserve or limitation list Before whether record has the information of the terminal, methods described also includes:
The present flow rate of the server is obtained, judges whether the present flow rate is more than default flow threshold, if it is, really Surely SYN Flood attacks be present, carry out subsequent step.
4. the method as described in claim 1, it is characterised in that the second source of the ACK probe messages for meeting specified conditions IP, the IP of the second mesh, the second source port and the second destination interface are respectively the IP of the first mesh in the SYN messages, the first source IP, the first destination interface and the first source port.
5. the method as described in claim 1, it is characterised in that described to judge whether that receiving the RST that the terminal is sent entangles Misrepresenting deliberately text includes:
Judge the RST error correction messages that the terminal is sent whether are received in setting time length.
6. a kind of protector of synchronous extensive SYN Flood attacks, it is characterised in that described device includes:
Judge module is received, the SYN messages sent for receiving terminal, in the trust list or the limitation list that judge itself preservation Whether record has the information of the terminal;
First processing module, if there is the information of the terminal for record in trust list, the SYN messages are forwarded to clothes Business device, if record has the information of the terminal in limitation list, abandon the SYN messages;
Second processing module, for abandoning the SYN messages, sent to the terminal and meet that the confirmation ACK of specified conditions is detected Message;Judge whether to receive the replacement RST error correction messages that the terminal is sent, if it is, adding in the trust list The information of the terminal, if not, adding the information of the terminal in the limitation list.
7. device as claimed in claim 6, it is characterised in that the described of Second processing module transmission meets specified conditions ACK probe messages in send sequence number with acknowledged sequence number be random value.
8. device as claimed in claim 6, it is characterised in that described device also includes:
Judge module is obtained, for obtaining the present flow rate of the server, it is default to judge whether the present flow rate is more than Flow threshold, if it is, determining SYN Flood attacks be present, triggering receives judge module.
9. device as claimed in claim 6, it is characterised in that the described of Second processing module transmission meets specified conditions The second source IP of ACK probe messages, the IP of the second mesh, the second source port and the second destination interface be respectively the SYN messages In the first mesh IP, the first source IP, the first destination interface and the first source port.
10. device as claimed in claim 6, it is characterised in that the Second processing module, specifically for judging in setting Between the RST error correction messages that the terminal is sent whether are received in length.
A kind of 11. cleaning equipment, it is characterised in that including processor, communication interface, memory and communication bus, wherein, processing Device, communication interface, memory complete mutual communication by communication bus;
Memory, for depositing computer program;
Processor, during for performing the program deposited on memory, realize the method step described in claim any one of 1-5 Suddenly.
12. a kind of computer-readable recording medium, it is characterised in that the computer-readable recording medium internal memory contains computer Program, the computer program realize the method and step described in claim any one of 1-5 when being executed by processor.
CN201710741489.1A 2017-08-25 2017-08-25 SYN Flood protection method, device, cleaning equipment and medium Active CN107395632B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710741489.1A CN107395632B (en) 2017-08-25 2017-08-25 SYN Flood protection method, device, cleaning equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710741489.1A CN107395632B (en) 2017-08-25 2017-08-25 SYN Flood protection method, device, cleaning equipment and medium

Publications (2)

Publication Number Publication Date
CN107395632A true CN107395632A (en) 2017-11-24
CN107395632B CN107395632B (en) 2020-09-22

Family

ID=60345226

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710741489.1A Active CN107395632B (en) 2017-08-25 2017-08-25 SYN Flood protection method, device, cleaning equipment and medium

Country Status (1)

Country Link
CN (1) CN107395632B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833418A (en) * 2018-06-22 2018-11-16 北京京东金融科技控股有限公司 Methods, devices and systems for defensive attack
CN109413037A (en) * 2018-09-12 2019-03-01 北京奇安信科技有限公司 A kind of Modbus method for processing business and device
CN109962918A (en) * 2019-03-28 2019-07-02 烽火通信科技股份有限公司 A kind of method, system and the equipment of defensive attack message
CN110198298A (en) * 2018-10-11 2019-09-03 腾讯科技(深圳)有限公司 A kind of information processing method, device and storage medium
CN110417679A (en) * 2018-04-26 2019-11-05 阿里巴巴集团控股有限公司 Evade the methods, devices and systems that bypass blocks
CN111970308A (en) * 2020-09-03 2020-11-20 杭州安恒信息技术股份有限公司 Method, device and equipment for protecting SYN Flood attack
WO2021227674A1 (en) * 2020-05-13 2021-11-18 华为技术有限公司 Processing method for protocol message, network device, and computer storage medium
CN114697088A (en) * 2022-03-17 2022-07-01 神州绿盟成都科技有限公司 Method and device for determining network attack and electronic equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110131646A1 (en) * 2009-12-02 2011-06-02 Electronics And Telecommunications Research Institute Apparatus and method for preventing network attacks, and packet transmission and reception processing apparatus and method using the same
CN102291441A (en) * 2011-08-02 2011-12-21 杭州迪普科技有限公司 Method and security agent device for protecting against attack of synchronize (SYN) Flood
CN103281369A (en) * 2013-05-24 2013-09-04 华为技术有限公司 Message processing method and WOC (WAN (wide area network) optimization controller)
CN104683293A (en) * 2013-11-27 2015-06-03 杭州迪普科技有限公司 SYN attack defense method based on logic device
CN105827646A (en) * 2016-05-17 2016-08-03 浙江宇视科技有限公司 SYN attack protecting method and device
CN106453373A (en) * 2016-11-03 2017-02-22 北京知道未来信息技术有限公司 Efficient SYN Flood attack identification and disposal method
CN106936799A (en) * 2015-12-31 2017-07-07 阿里巴巴集团控股有限公司 Message cleaning method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110131646A1 (en) * 2009-12-02 2011-06-02 Electronics And Telecommunications Research Institute Apparatus and method for preventing network attacks, and packet transmission and reception processing apparatus and method using the same
CN102291441A (en) * 2011-08-02 2011-12-21 杭州迪普科技有限公司 Method and security agent device for protecting against attack of synchronize (SYN) Flood
CN103281369A (en) * 2013-05-24 2013-09-04 华为技术有限公司 Message processing method and WOC (WAN (wide area network) optimization controller)
CN104683293A (en) * 2013-11-27 2015-06-03 杭州迪普科技有限公司 SYN attack defense method based on logic device
CN106936799A (en) * 2015-12-31 2017-07-07 阿里巴巴集团控股有限公司 Message cleaning method and device
CN105827646A (en) * 2016-05-17 2016-08-03 浙江宇视科技有限公司 SYN attack protecting method and device
CN106453373A (en) * 2016-11-03 2017-02-22 北京知道未来信息技术有限公司 Efficient SYN Flood attack identification and disposal method

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110417679B (en) * 2018-04-26 2022-06-14 阿里巴巴集团控股有限公司 Method, device and system for avoiding bypass blocking
CN110417679A (en) * 2018-04-26 2019-11-05 阿里巴巴集团控股有限公司 Evade the methods, devices and systems that bypass blocks
CN108833418B (en) * 2018-06-22 2021-05-25 京东数字科技控股有限公司 Method, device and system for defending attack
CN108833418A (en) * 2018-06-22 2018-11-16 北京京东金融科技控股有限公司 Methods, devices and systems for defensive attack
CN109413037A (en) * 2018-09-12 2019-03-01 北京奇安信科技有限公司 A kind of Modbus method for processing business and device
CN109413037B (en) * 2018-09-12 2021-11-16 奇安信科技集团股份有限公司 Modbus service processing method and device
CN110198298A (en) * 2018-10-11 2019-09-03 腾讯科技(深圳)有限公司 A kind of information processing method, device and storage medium
CN110198298B (en) * 2018-10-11 2021-08-27 腾讯科技(深圳)有限公司 Information processing method, device and storage medium
CN109962918B (en) * 2019-03-28 2021-11-30 烽火通信科技股份有限公司 Method, system and equipment for defending attack message
CN109962918A (en) * 2019-03-28 2019-07-02 烽火通信科技股份有限公司 A kind of method, system and the equipment of defensive attack message
WO2021227674A1 (en) * 2020-05-13 2021-11-18 华为技术有限公司 Processing method for protocol message, network device, and computer storage medium
CN111970308A (en) * 2020-09-03 2020-11-20 杭州安恒信息技术股份有限公司 Method, device and equipment for protecting SYN Flood attack
CN114697088A (en) * 2022-03-17 2022-07-01 神州绿盟成都科技有限公司 Method and device for determining network attack and electronic equipment
CN114697088B (en) * 2022-03-17 2024-03-15 神州绿盟成都科技有限公司 Method and device for determining network attack and electronic equipment

Also Published As

Publication number Publication date
CN107395632B (en) 2020-09-22

Similar Documents

Publication Publication Date Title
CN107395632A (en) SYN Flood means of defences, device, cleaning equipment and medium
CN104137513B (en) Attack prevention method and equipment
CN109660539B (en) Method and device for identifying defect-losing equipment, electronic equipment and storage medium
US9350758B1 (en) Distributed denial of service (DDoS) honeypots
CN107666473A (en) The method and controller of a kind of attack detecting
CN104283882B (en) A kind of intelligent safety protection method of router
CN107295017A (en) CC means of defences based on user authentication
CN110166408B (en) Method, device and system for defending flood attack
CN108737447A (en) User Datagram Protocol traffic filtering method, apparatus, server and storage medium
CN105656765B (en) A kind of anti-method and system that leak of smtp protocol data based on depth content parsing
EP3157226A1 (en) Method circuits devices systems and functionally associated computer executable code for detecting and mitigating denial of service attack directed on or through a radio access networks
CN107454065A (en) A kind of means of defence and device of UDP Flood attacks
CN109040140A (en) A kind of attack detection method and device at a slow speed
CN110266678A (en) Security attack detection method, device, computer equipment and storage medium
CN111800401A (en) Method, device and system for protecting service message and computer equipment
CN107800723A (en) CC attack guarding methods and equipment
CN104348808B (en) The method and apparatus of Dialog processing
JP2005184792A (en) Band control device, band control method, and program
CN110191104A (en) A kind of method and device of security protection
CN104717212A (en) Protection method and system for cloud virtual network security
CN108737344B (en) Network attack protection method and device
CN104506559B (en) DDoS defense system and method based on Android system
CN108234516A (en) A kind of detection method and device of network flood attack
CN101873324A (en) Method for passing through firewall
CN113242260A (en) Attack detection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee after: NSFOCUS Technologies Group Co.,Ltd.

Patentee after: NSFOCUS TECHNOLOGIES Inc.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

Patentee before: NSFOCUS TECHNOLOGIES Inc.

CP01 Change in the name or title of a patent holder