CN107547507A - A kind of anti-attack method, device, router device and machinable medium - Google Patents
A kind of anti-attack method, device, router device and machinable medium Download PDFInfo
- Publication number
- CN107547507A CN107547507A CN201710499051.7A CN201710499051A CN107547507A CN 107547507 A CN107547507 A CN 107547507A CN 201710499051 A CN201710499051 A CN 201710499051A CN 107547507 A CN107547507 A CN 107547507A
- Authority
- CN
- China
- Prior art keywords
- attack
- message
- speed
- attack message
- list item
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the present application provides a kind of anti-attack method, device, router device and machinable medium, applied to router device, wherein, anti-attack method includes:After attack message is determined according to the speed for receiving TCP SYN messages, attack protection list item is established;Judge whether the current speed for receiving attack message is less than preset strength threshold value;When the speed for currently receiving attack message is less than default attack strength threshold value, aging attack protection list item.The attack of effectively defence TCP SYN messages can be realized by this programme.
Description
Technical field
The application is related to communication technical field, more particularly to a kind of anti-attack method, device, router device and machine
Readable storage medium storing program for executing.
Background technology
When establishing TCP (Transmission Control Protocol, transmission control protocol) connections, client with
Need to complete three-way handshake operation between server, wherein, first handshake that user end to server is sent is SYN
(Synchronous, synchronous) message signals.Often there is transmission control protocol sync message in TCP connections to flood TCP SYN
The situation of FLOOD attacks.In this case, substantial amounts of TCP SYN messages, the TCP resource exhaustions of equipment can be made, meanwhile, shadow
Ring the TCP connections established.
The content of the invention
The purpose of the embodiment of the present application is to provide a kind of anti-attack method, device, router device and machine readable deposited
Storage media, to realize the attack of effectively defence TCP SYN messages.Concrete technical scheme is as follows:
In a first aspect, the embodiment of the present application provides a kind of anti-attack method, applied to router device, methods described bag
Include:
After attack message is determined according to the speed for receiving TCP SYN messages, attack protection list item is established;
Whether the speed for judging currently to receive the attack message is less than preset strength threshold value;
When the speed for currently receiving the attack message is less than default attack strength threshold value, attack protection described in aging
List item.
Second aspect, the embodiment of the present application provide a kind of attack protection device, and described device includes:
List item establishes module, for after attack message is determined according to the speed for receiving TCP SYN messages, establishing attack protection
List item;
Judge module, for judging whether the speed for currently receiving the attack message is less than preset strength threshold value;
List item ageing module, for being less than default attack strength threshold value in the speed for currently receiving the attack message
When, attack protection list item described in aging.
The third aspect, the embodiment of the present application provide a kind of router device, including processor and machine readable storage are situated between
Matter, the machinable medium is stored with can be by the machine-executable instruction of the computing device, the processor
Promoted by the machine-executable instruction:Realize method and step as described in relation to the first aspect.
Fourth aspect, the embodiment of the present application provide a kind of machinable medium, are stored with machine-executable instruction,
When being called and being performed by processor, the machine-executable instruction promotes the processor:Realize as described in relation to the first aspect
Method and step.
A kind of anti-attack method, device, router device and the machinable medium that the embodiment of the present application provides,
After speed according to TCP SYN messages are received determines attack message, attack protection list item is established, and by judging to determine current receive
When the speed of attack message is less than default attack strength threshold value, determines that the attack frequency of attack message has declined, then can be aged and delete
Except attack protection list item, the TCP SYN messages are received again.By judging the current speed for receiving attack message, more
The accurate TCP SYN messages that attack frequency is determined and declines, the burin-in process of attack protection list item is based on the judgement, without being sent out
The influence of the port number of TCP SYN messages is sent, is effectively avoided in the port persistently attacked in the old of attack protection list item
The problem of change moment causes equipment to be hit, so as to the ability of the attack with more efficiently defence TCP SYN messages.
Brief description of the drawings
, below will be to embodiment or existing in order to illustrate more clearly of the embodiment of the present application or technical scheme of the prior art
There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only this
Some embodiments of application, for those of ordinary skill in the art, on the premise of not paying creative work, can be with
Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is the connection diagram for the attack that prior art simulates TCP SYN messages;
Fig. 2 is a kind of schematic flow sheet of the anti-attack method of the embodiment of the present application;
Fig. 3 is another schematic flow sheet of the anti-attack method of the embodiment of the present application;
Fig. 4 is a kind of structural representation of the attack protection device of the embodiment of the present application;
Fig. 5 is another structural representation of the attack protection device of the embodiment of the present application;
Fig. 6 is the yet another construction schematic diagram of the attack protection device of the embodiment of the present application;
Fig. 7 is a kind of structural representation of the router device of the embodiment of the present application.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present application, the technical scheme in the embodiment of the present application is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only some embodiments of the present application, rather than whole embodiments.It is based on
Embodiment in the application, those of ordinary skill in the art are obtained every other under the premise of creative work is not made
Embodiment, belong to the scope of the application protection.
It can be docked by router device with tester, attack of the simulated implementation TCP SYN messages to router device.
As shown in figure 1, to simulate the connection diagram of the attack of TCP SYN messages, in the defence for starting the attack to TCP SYN messages
Afterwards, router device is in attack detecting state, when the processor in router device detects the TCP of reception same characteristic features
When the speed of SYN messages has persistently met or exceeded activation threshold value, determine that the TCP SYN messages are attack message, router is set
Standby to enter defense attitude, the processor in router device issues the forwarding chip in attack protection list item to router device, makes
Forwarding chip abandons the attack message for matching the attack protection list item.
After ageing time is reached, the processor in router device issues the attack protection list item for deleting corresponding message characteristic
Order, forwarding chip deletes corresponding attack protection list item, and hereafter, the TCP SYN messages that equipment receives again are uploaded to road again
By the processor of device equipment.If the TCP SYN messages are continuously attack message, the deletion of attack protection list item is too early, attack report
Text can impact router device again, be likely to result in the normal TCP connections concussion having built up.
Therefore, in one implementation, when reaching ageing time, the attack protection table per second for carrying out burin-in process is limited
Item quantity.It is per second only to have carried out attacking for burin-in process when the attack source for sending attack message is more, and still persistently attacks
Hit message can impact device, reduce the accounting of equipment under fire.
But the attack protection list item quantity of the carry out burin-in process per second by being limited is the experience according to technical staff
Determine, in actual applications, the quantity of the attack source of router device is often difficult to determine.Number change in attack source
When, the attack protection list item quantity of burin-in process per second can not follow the quantity of attack source to enter Mobile state adjustment, such as in attack source
Quantity be changed into only 200 from 10000, and when the attack protection list item quantity for limiting burin-in process per second is always 100,
So that there is the attack source attack router device of half, the protection effect of the attack for TCP SYN messages is poor.
In order to realize effective defence of the attack to TCP SYN messages, the embodiment of the present application provides a kind of attack protection side
Method, device, router device and machinable medium.
A kind of anti-attack method provided first below the embodiment of the present application is introduced.
It should be noted that a kind of executive agent for anti-attack method that the embodiment of the present application is provided is computer network
Router device in system, the router device include the chip that can complete logical process, such as DSP (Digital
Signal Processor, digital signal processor), ARM (Advanced Reduced Instruction Set
Computer Machines, Reduced Instruction Set Computer microprocessor) or FPGA (Field-Programmable Gate
Array, field programmable gate array) etc..Wherein, realize that a kind of mode for anti-attack method that the embodiment of the present application is provided can
Think any of the software being arranged in executive agent, hardware circuit and logic circuit, any two or three kinds.
As described in Figure 2, a kind of anti-attack method that the embodiment of the present application is provided, may include steps of:
S201, after attack message is determined according to the speed for receiving TCP SYN messages, establish attack protection list item.
After TCP connections are established, server can receive TCP SYN messages by router device.Pass through matching somebody with somebody for user
Put or the enabled instruction of server, router device can start the defence of the attack to TCP SYN messages, then router is set
For entrance TCP attack protection detection states, the processor in router device starts to unite to the TCP SYN messages received
Meter, according to source IP (Internet Protocol, Internet protocol) address, source port, purpose IP address, destination interface and
Transport layer protocol five-tuple information, count the TCP of five-tuple information all same in certain time (i.e. same port is sent)
The quantity of SYN messages, and the number of the TCP SYN messages per second received is obtained by computing, that is, receive TCP SYN messages
Speed, by set an attack protection threshold value, detect receive TCP SYN messages speed reach the attack protection threshold value when,
The TCP SYN messages are then defined as attack message, the port for sending the attack message is defined as attack source.
It is determined that behind attack message and attack source, the processor of router device can be established and issue attack protection list item, should
It can include in attack protection list item:The IP address of attack source, attribute information of TCP SYN messages etc. and attack source and attack message
The related information of attribute information.TCP SYN messages can be that BGP (assist by Border Gateway Protocol borde gateways
View) message, OSPF (Open Shortest Path First ospfs) protocol massages or ISIS
(Intermediate system to intermediate system, Intermediate System-to-Intermediate System) protocol massages etc. are route
Any of protocol massages.
Due to including the information related to the attribute information of attack source and attack message in attack protection list item, that is, specify
The TCP SYN messages of which feature of the carrying of which port transmission are attack message, then router device is receiving TCP SYN
After message, the TCP SYN messages of matching attack protection list item are abandoned, that is, prevent the continuation of the TCP SYN messages as attack message
Attack.In order to determine the attack strength of port, the number of the TCP SYN messages abandoned can be counted, i.e., to receiving
The number of attack message counted, and the current speed for receiving attack message is obtained according to the number of statistics.
Router device can record the number of the attack message of the reception counted into attack protection list item;Can also
Increase counts the attack message of reception using attack protection list item to the attack message tally function of reception in attack protection list item
Number;The number for counting reception attack message can also be recorded into the pre-assigned storage region of router device.
S202, judges whether the current speed for receiving attack message is less than preset strength threshold value.
Wherein, preset attack strength threshold value and represent the intensity of router device under fire, can be by reception attack message
Rate representation.The number of router device reception attack message directly reflects the under fire degree of router device, you can with
The current speed for receiving attack message is calculated in number by receiving attack message in prefixed time interval, and then judges to be somebody's turn to do
Whether TCP SYN messages remain as attack message., can be in accordance with the following steps after the number for receiving attack message is counted on
The speed of current reception attack message is calculated, then judges whether the speed is less than preset strength threshold value, step can specifically include:
The first step, obtain the first number of the first reception attack message, and the of the second reception attack message
Two numbers;
Second step, according to the first number, the second number and the first moment, the second moment, current receive is calculated and attacks
The speed of message.
Router device is when statistics receives the number of attack message, at the time of reception attack message can be recorded simultaneously,
And the number for receiving attack message and moment are recorded into attack protection list item.Wherein, the first moment received attack report to be current
At the time of literary, before the second moment was the first moment at the time of reception attack message.The of the attack message of first reception
Second number of the attack message of one number and the second reception can be absolute number, i.e., according to the sequencing of time,
Cumulative number successively, such as 10:00:15 receive 10 attack messages and current time 10:00:30 and 10:00:Between 15
20 attack messages are received altogether, therefore the first moment was 10:00:30, the second moment was 10:00:15, router device can be with
The first number of the first reception is obtained in the storage region of attack message number from attack protection list item or other be stored with
And second reception the second number, the first number for making the first reception is Count1, and the of the second reception
Two numbers are Count2.Then currently receiving the speed of attack message can obtain according to S=(Count1-Count2)/T, wherein,
S is the current speed for receiving attack message, and Count1 is the first number, and Count2 is the second number, and T is prefixed time interval.
First number of the attack message of the first reception be the second number of the attack message of the second reception also
Can be relative number, i.e., the number of the attack message at a time received.For example, 10:00:00 attack message received
Number be 10,10:00:01 receive attack message number for 15,10:00:02 number of attack message received is
12,10:00:03 receive attack message number for 17,10:00:04 receive attack message number for 20,
10:00:The number of 05 attack message received is 16, then 10:00:00 to 10:00:In 05 5 seconds, attack message is received
Number is total up to 90, and it is 18/second that speed, which is calculated,.
S203, when the speed for currently receiving attack message is less than default attack strength threshold value, aging attack protection list item.
If the speed for currently receiving attack message is less than default attack strength threshold value, illustrate transmitted by the port
The attack frequency of TCP SYN messages declines, and therefore, can be realized by aging attack protection list item to the TCP transmitted by the port
The reception again of SYN messages.
Default attack strength threshold value could be arranged to it is above-mentioned be made whether for attack message when used attack protection
Threshold value identical numerical value, certainly, in order to improve the accuracy of detection, default attack strength threshold value may be arranged as more than above-mentioned
The number of attack protection threshold value.For example, if attack protection threshold value is 20/second, default attack strength threshold value can be set as 20
Individual/second, 23/second or 25/second etc. are arbitrarily not less than the numerical value of attack protection threshold value, are currently receiving the speed of attack message
During less than default attack strength threshold value, such as it is 23/second to preset attack strength threshold value, and the current reception being calculated
The speed of attack message is 16/second, then can illustrate that the attack frequency of the TCP SYN messages transmitted by port declines, then may be used
To delete again reception of the attack protection list item realization to the TCP SYN messages transmitted by the port by aging.
Using the embodiment of the present application, after attack message is determined according to the speed for receiving TCP SYN messages, attack protection is established
List item, and during by judging to determine that the current speed for receiving attack message is less than default attack strength threshold value, determine attack message
Attack frequency declined, then can be aged delete attack protection list item, receive the TCP SYN messages again.By being received to current
The speed of attack message is judged, the TCP SYN messages that attack frequency declines more accurately are determined, attack protection list item
Burin-in process is based on the judgement, without being influenceed by the port number of transmission TCP SYN messages, effectively avoids in lasting
The port of attack is cause equipment to be hit the problem of the aging moment of attack protection list item, so as to have more efficiently defence
The ability of the attack of TCP SYN messages.
Based on embodiment illustrated in fig. 2, as shown in figure 3, the embodiment of the present application is provided under another transmission control protocol TCP
Anti-attack method, may include steps of
S301, after attack message is determined according to the speed for receiving TCP SYN messages, establish attack protection list item.
S302, judges whether the current speed for receiving attack message is less than preset strength threshold value, if so, S303 is then performed,
Otherwise S304 is performed.
, can be right again when the aging duration of attack protection list item reaches default aging duration in wherein a kind of implementation
Whether the current speed for receiving attack message is judged less than preset strength threshold value, can further be limited to attack protection list item
Carry out the time point of aging deletion, that is to say, that when the current time for receiving attack message can be the aging of attack protection list item
The long time point for reaching default aging duration.Then before step S302, it can also include:
The first step, determine the attack duration of attack message;
Second step, judge to attack whether duration is the integral multiple for presetting aging duration, if reaching, perform S302.
Receiving the current time of attack message can be:At the time of the attack duration counted reaches default aging duration.
The attack duration counted can be recorded into attack protection list item, can also directly be counted, can also recorded by attack protection list item
Into the pre-assigned storage region of router device.If recorded in attack protection list item, then the processor of router device
Attack duration can be obtained directly from attack protection list item, then by being made comparisons with default aging duration, judges that attacking duration is
No is the integral multiple of default aging duration.Certainly, if attack duration is recorded in storage region, the processing of router device
Device can obtain attack duration directly from storage region, repeat no more here.
Wherein, attack duration can be determined as follows:
The attack time of statistical attack message, and using the attack time of attack message as attack duration;
Or,
The attack time of statistical attack message, when the attack time of attack message reaches default aging duration, it will attack
The attack time of message is reset, with the attack time of statistical attack message again, using the attack time counted again as attack
Duration.
In the present embodiment, when the attack time of the attack message of statistics is the integral multiple of default aging duration, order is anti-to attack
Hit list item and enter next digestion period, continue to count attack duration, judge whether accumulative attack duration reaches pre-
If the integral multiple of aging duration, if reached, it is believed that corresponding attack protection list item is attack protection list item to be aging, this
When, preaging mark can be distributed to attack protection list item, after distribution preaging mark, if receiving the speed of attack message not
Less than default attack strength threshold value, attack protection list item can be prevented to be aging by way of preaging mark is removed
Removed in attack list item.It is, of course, also possible to it is when the attack time of attack message reaches default ageing time, i.e., at one always
Change in the cycle, by the way that the attack time counted is reset, the attack of the still higher attack message of statistical attack frequency again
Time so that the attack protection list item can enter next digestion period.
S303, aging attack protection list item.
S304, maintain attack protection list item.
When the current speed for receiving attack message is not less than default attack strength threshold value, illustrate the TCP as attack message
The attack frequency of SYN messages is still higher, therefore, the state maintained can be kept to attack protection list item, according to attack protection table
, the TCP SYN messages for attack message that received can be continued to abandon operation.
It should be noted that S301 to S303 is corresponding with the S201 to S203 of embodiment illustrated in fig. 2, walked for identical
Suddenly, there is identical beneficial effect, therefore, repeat no more here.
Using the embodiment of the present application, after attack message is determined according to the speed for receiving TCP SYN messages, attack protection is established
List item, and during by judging to determine that the current speed for receiving attack message is less than default attack strength threshold value, determine attack message
Attack frequency declined, then can be aged delete attack protection list item, receive the TCP SYN messages again.By being received to current
The speed of attack message is judged, the TCP SYN messages that attack frequency declines more accurately are determined, attack protection list item
Burin-in process is based on the judgement, without being influenceed by the port number of transmission TCP SYN messages, effectively avoids in lasting
The port of attack is cause equipment to be hit the problem of the aging moment of attack protection list item, so as to have more efficiently defence
The ability of the attack of TCP SYN messages.When attack strength is not less than default attack strength threshold value, attack protection message is maintained, is held
It is continuous to abandon the attack message received, so, change regardless of attack source, as long as generation attack protection list item, would not be produced
Impact to router device.
Above-described embodiment is described in detail with a specific example below.
By taking a certain interface on router device as an example:
Processor in router device is counted according to the TCP SYN messages that five-tuple information butt joint receives, can be with
Obtain statistical form as shown in table 1.
Table 1TCP SYN counting messages tables
| Source IP address | Purpose IP address | Source port | Destination interface | Message amount |
| 1.1.1.1 | 2.2.2.2 | 5000 | 8000 | 5 |
| 1.1.1.2 | 2.2.2.2 | 6000 | 8000 | 15 |
| 1.1.1.3 | 2.2.2.2 | 7000 | 8000 | 12 |
Assuming that default attack protection threshold value is 13, then the TCP SYN messages transmitted by source IP address 1.1.1.2 can be determined
For attack message, port corresponding to the source IP address is attack source.After attack message is detected, attack protection list item is established,
The information that source IP address is 1.1.1.2 or source port is 6000, the processing of router device are contained in the attack protection list item
The attack protection list item is issued to receiving circuit by device, to indicate to report the TCP SYN transmitted by the source IP address 1.1.1.2 of reception
Text carries out discarding operation, and often abandons an attack message, is attacked by the count value in attack protection list item to what discarding received
The number for hitting message is counted.
Although being that the TCP SYN messages that 1.1.1.2 is sent are defined as attack message by source IP address, and it is abandoned,
That attack source can continue to send the TCP SYN messages, then router device abandon the numbers of the TCP SYN messages can be directly anti-
Whether the TCP SYN messages for reflecting port transmission are continuously attack message.
In this example, from source IP address is defined as into attack message for the 1.1.1.2 TCP SYN messages sent, record
Duration is attacked, and the aging duration of a 60s is set, when attack duration reaches 60s, then to attack protection corresponding to the source IP address
Message distribution preaging mark, and obtain the discarding that the first moment and the second moment are counted in prefixed time interval 5s and receive
Attack message number, if the speed that the number of the attack message received by the discarding counted in 5s is calculated is big
In default attack strength threshold value, then illustrate source IP address for the 1.1.1.2 TCP SYN messages sent attack frequency still compared with
Height, then preaging mark is removed, continue to abandon the attack message received;If attacked by what the discarding counted in 5s received
Hit the speed that the number of message is calculated and be less than default attack strength threshold value, then illustrate that source IP address sends for 1.1.1.2
The attack frequencies of TCP SYN messages have dropped, then attack protection list item is deleted in aging, restarts to receive TCP SYN messages.
This programme compared to prior art scheme, according to receive TCP SYN messages speed determine attack message after,
When establishing attack protection list item, and the current speed for receiving attack message is determined less than attack strength threshold value is preset by judgement, really
The attack frequency for determining attack message has declined, then can be aged and delete attack protection list item, receive the TCP SYN messages again.Pass through
The current speed for receiving attack message is judged, the TCP SYN messages that attack frequency declines more accurately are determined, prevent
The burin-in process of attack list item is based on the judgement, without being influenceed by the port number of transmission TCP SYN messages, effectively avoids
The problem of aging moment of attack protection list item causing equipment to be hit in the port persistently attacked, so as to more having
The ability of the attack of the defence TCP SYN messages of effect.
Corresponding to above-described embodiment, the embodiment of the present application provides a kind of attack protection device, as shown in figure 4, the device can
With including:
List item establishes module 410, anti-for after attack message is determined according to the speed for receiving TCP SYN messages, establishing
Attack list item;
Judge module 420, for judging whether the speed for currently receiving the attack message is less than preset strength threshold value;
List item ageing module 430, for being less than default attack strength in the speed for currently receiving the attack message
During threshold value, attack protection list item described in aging.
The attack protection device can also include:
Acquisition module, for obtaining the first number of attack message described in the first reception, and the second reception institute
State the second number of attack message, wherein, first moment at the time of currently receiving the attack message, when described second
At the time of quarter to receive the attack message before first moment;
Computing module, for according to first number, second number and first moment, it is described second when
Carve, the speed for currently receiving the attack message is calculated.
Using the embodiment of the present application, after attack message is determined according to the speed for receiving TCP SYN messages, attack protection is established
List item, and during by judging to determine that the current speed for receiving attack message is less than default attack strength threshold value, determine attack message
Attack frequency declined, then can be aged delete attack protection list item, receive the TCP SYN messages again.By being received to current
The speed of attack message is judged, the TCP SYN messages that attack frequency declines more accurately are determined, attack protection list item
Burin-in process is based on the judgement, without being influenceed by the port number of transmission TCP SYN messages, effectively avoids in lasting
The port of attack is cause equipment to be hit the problem of the aging moment of attack protection list item, so as to have more efficiently defence
The ability of the attack of TCP SYN messages.
Based on embodiment illustrated in fig. 4, as shown in figure 5, the embodiment of the present application additionally provides a kind of attack protection device, this prevents attacking
Hitting device can include:
List item establishes module 510, anti-for after attack message is determined according to the speed for receiving TCP SYN messages, establishing
Attack list item;
Judge module 520, for judging whether the speed for currently receiving the attack message is less than preset strength threshold value;
List item ageing module 530, for being less than default attack strength in the speed for currently receiving the attack message
During threshold value, attack protection list item described in aging;
List item maintenance module 540, for being attacked in the speed for currently receiving the attack message not less than described preset
During hit intensity threshold value, the attack protection list item is maintained.
Using the embodiment of the present application, after attack message is determined according to the speed for receiving TCP SYN messages, attack protection is established
List item, and during by judging to determine that the current speed for receiving attack message is less than default attack strength threshold value, determine attack message
Attack frequency declined, then can be aged delete attack protection list item, receive the TCP SYN messages again.By being received to current
The speed of attack message is judged, the TCP SYN messages that attack frequency declines more accurately are determined, attack protection list item
Burin-in process is based on the judgement, without being influenceed by the port number of transmission TCP SYN messages, effectively avoids in lasting
The port of attack is cause equipment to be hit the problem of the aging moment of attack protection list item, so as to have more efficiently defence
The ability of the attack of TCP SYN messages.When attack strength is not less than default attack strength threshold value, attack protection message is maintained, is held
It is continuous to abandon the attack message received, so, change regardless of attack source, as long as generation attack protection list item, would not be produced
Impact to router device.
Based on embodiment illustrated in fig. 4, as shown in fig. 6, the embodiment of the present application additionally provides a kind of attack protection device, this prevents attacking
Hitting device can include:
List item establishes module 610, anti-for after attack message is determined according to the speed for receiving TCP SYN messages, establishing
Attack list item;
Duration determining module 620 is attacked, for determining the attack duration of the attack message;
Judge module 630, for judge the attack duration whether be default aging duration integral multiple;If so, then sentence
Whether the disconnected speed for currently receiving the attack message is less than preset strength threshold value;
List item ageing module 640, for being less than default attack strength in the speed for currently receiving the attack message
During threshold value, attack protection list item described in aging.
Wherein, the attack duration determining module 620, specifically can be used for:
The attack time of statistical attack message, and using the attack time of the attack message as attack duration;
Or,
The attack time of statistical attack message, will when the attack time of the attack message reaches default aging duration
The attack time of the attack message is reset, to count the attack time of the attack message again, the attack that will count again
Time is as attack duration.
Using the embodiment of the present application, after attack message is determined according to the speed for receiving TCP SYN messages, attack protection is established
List item, and during by judging to determine that the current speed for receiving attack message is less than default attack strength threshold value, determine attack message
Attack frequency declined, then can be aged delete attack protection list item, receive the TCP SYN messages again.By being received to current
The speed of attack message is judged, the TCP SYN messages that attack frequency declines more accurately are determined, attack protection list item
Burin-in process is based on the judgement, without being influenceed by the port number of transmission TCP SYN messages, effectively avoids in lasting
The port of attack is cause equipment to be hit the problem of the aging moment of attack protection list item, so as to have more efficiently defence
The ability of the attack of TCP SYN messages.When attack strength is not less than default attack strength threshold value, attack protection message is maintained, is held
It is continuous to abandon the attack message received, so, change regardless of attack source, as long as generation attack protection list item, would not be produced
Impact to router device.
It should be noted that the attack protection device of the embodiment of the present application be application above-mentioned anti-attack method device, then on
All embodiments for stating anti-attack method are applied to the attack protection device, and can reach same or analogous beneficial effect.
The embodiment of the present application additionally provides a kind of router device, as shown in fig. 7, comprises processor 710 and machine readable
Storage medium 720, the machinable medium 720, which is stored with, can perform by the machine that the processor 710 performs
Instruction, the processor 710 promote to realize following steps by the machine-executable instruction:
After attack message is determined according to the speed for receiving TCP SYN messages, attack protection list item is established;
Whether the speed for judging currently to receive the attack message is less than preset strength threshold value;
When the speed for currently receiving the attack message is less than default attack strength threshold value, attack protection described in aging
List item.
The processor 710 can also carry out:
When the speed for currently receiving the attack message is not less than the default attack strength threshold value, described in maintenance
Attack protection list item.
The processor 710 can also carry out:
Determine the attack duration of the attack message;
Judge whether the attack duration is the integral multiple for presetting aging duration;
If so, then perform the step for judging the speed for currently receiving the attack message and whether being less than preset strength threshold value
Suddenly.
The processor 710 can be determined as follows the attack duration:
The attack time of statistical attack message, and using the attack time of the attack message as attack duration;
Or,
The attack time of statistical attack message, will when the attack time of the attack message reaches default aging duration
The attack time of the attack message is reset, to count the attack time of the attack message again, the attack that will count again
Time is as attack duration.
The processor 710 can obtain the speed for currently receiving the attack message in the following way:
Obtain the first number of attack message described in the first reception, and of attack message described in the second reception
Two numbers, wherein, first moment is at the time of currently receiving the attack message, when second moment is described first
At the time of the attack message being received before carving;
According to first number, second number and first moment, second moment, it is calculated current
Receive the speed of the attack message.
The machinable medium that above-mentioned router device is mentioned can include random access memory (Random
Access Memory, RAM), nonvolatile memory (Non-Volatile Memory, NVM) can also be included, for example, at least
One magnetic disk storage.Optionally, machinable medium can also be at least one and be located remotely from depositing for aforementioned processor
Storage device.
Above-mentioned processor can be general processor, including CPU (Central Processing Unit, central processing
Device), NP (Network Processor, network processing unit) etc.;Can also be DSP (Digital Signal Processing,
Digital signal processor), ASIC (Application Specific Integrated Circuit, application specific integrated circuit),
FPGA (Field-Programmable Gate Array, field programmable gate array) or other PLDs, divide
Vertical door or transistor logic, discrete hardware components.
In the present embodiment, processor passes through fortune by the computer program that is stored in read machine readable storage medium storing program for executing
The row computer program, can be realized:After attack message is determined according to the speed for receiving TCP SYN messages, attack protection is established
List item, and during by judging to determine that the current speed for receiving attack message is less than default attack strength threshold value, determine attack message
Attack frequency declined, then can be aged delete attack protection list item, receive the TCP SYN messages again.By being received to current
The speed of attack message is judged, the TCP SYN messages that attack frequency declines more accurately are determined, attack protection list item
Burin-in process is based on the judgement, without being influenceed by the port number of transmission TCP SYN messages, effectively avoids in lasting
The port of attack is cause equipment to be hit the problem of the aging moment of attack protection list item, so as to have more efficiently defence
The ability of the attack of TCP SYN messages.
The anti-attack method provided corresponding to above-described embodiment, the embodiment of the present application additionally provide a kind of machine readable deposit
Storage media, for being stored with machine-executable instruction, when being called and being performed by processor, the machine-executable instruction promotes
The processor realizes following steps:
After attack message is determined according to the speed for receiving TCP SYN messages, attack protection list item is established;
Whether the speed for judging currently to receive the attack message is less than preset strength threshold value;
When the speed for currently receiving the attack message is less than default attack strength threshold value, attack protection described in aging
List item.
The processor, it can also realize:
When the speed for currently receiving the attack message is not less than the default attack strength threshold value, described in maintenance
Attack protection list item.
The processor, it can also realize:
Determine the attack duration of the attack message;
Judge whether the attack duration is the integral multiple for presetting aging duration;
If so, then judging whether the speed for currently receiving the attack message is less than preset strength threshold value.
The processor can be determined as follows the attack duration:
The attack time of statistical attack message, and using the attack time of the attack message as attack duration;
Or,
The attack time of statistical attack message, will when the attack time of the attack message reaches default aging duration
The attack time of the attack message is reset, to count the attack time of the attack message again, the attack that will count again
Time is as attack duration.
The processor can obtain the speed for currently receiving the attack message in the following way:
Obtain the first number of attack message described in the first reception, and of attack message described in the second reception
Two numbers, wherein, first moment is at the time of currently receiving the attack message, when second moment is described first
At the time of the attack message being received before carving;
According to first number, second number and first moment, second moment, it is calculated current
Receive the speed of the attack message.
In the present embodiment, machinable medium is stored with anti-attacking of operationally performing that the embodiment of the present application provided
The application program of method is hit, therefore can be realized:After attack message is determined according to the speed for receiving TCP SYN messages, establish
Attack protection list item, and during by judging to determine that the current speed for receiving attack message is less than default attack strength threshold value, it is determined that attacking
The attack frequency for hitting message has declined, then can be aged and delete attack protection list item, receive the TCP SYN messages again.By to working as
The preceding speed for receiving attack message is judged, the TCP SYN messages that attack frequency declines, attack protection is more accurately determined
The burin-in process of list item is based on the judgement, without being influenceed by the port number of transmission TCP SYN messages, effectively avoids place
In the port of lasting attack is causing equipment to be hit the aging moment of attack protection list item the problem of, so as to more efficiently
Defend the ability of the attack of TCP SYN messages.
For router device and machinable medium embodiment, due to the method content base involved by it
This is similar in appearance to foregoing embodiment of the method, so description is fairly simple, referring to the part explanation of embodiment of the method in place of correlation
.
It should be noted that herein, such as first and second or the like relational terms are used merely to a reality
Body or operation make a distinction with another entity or operation, and not necessarily require or imply and deposited between these entities or operation
In any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant are intended to
Nonexcludability includes, so that process, method, article or equipment including a series of elements not only will including those
Element, but also the other element including being not expressly set out, or it is this process, method, article or equipment also to include
Intrinsic key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that
Other identical element also be present in process, method, article or equipment including the key element.
Each embodiment in this specification is described by the way of related, identical similar portion between each embodiment
Divide mutually referring to what each embodiment stressed is the difference with other embodiment.It is real especially for system
For applying example, because it is substantially similar to embodiment of the method, so description is fairly simple, related part is referring to embodiment of the method
Part explanation.
The preferred embodiment of the application is the foregoing is only, is not intended to limit the protection domain of the application.It is all
Any modification, equivalent substitution and improvements made within spirit herein and principle etc., it is all contained in the protection domain of the application
It is interior.
Claims (12)
1. a kind of anti-attack method, it is characterised in that applied to router device, methods described includes:
After attack message is determined according to the speed for receiving TCP SYN messages, attack protection list item is established;
Whether the speed for judging currently to receive the attack message is less than preset strength threshold value;
When the speed for currently receiving the attack message is less than default attack strength threshold value, attack protection table described in aging
.
2. according to the method for claim 1, it is characterised in that not small in the speed for currently receiving the attack message
When the default attack strength threshold value, the attack protection list item is maintained.
3. according to the method for claim 1, it is characterised in that methods described also includes:
Determine the attack duration of the attack message;
Judge whether the attack duration is the integral multiple for presetting aging duration;
If so, the step of whether speed that the judgement currently receives the attack message is less than preset strength threshold value then performed.
4. according to the method for claim 3, it is characterised in that the attack duration is determined as follows:
The attack time of statistical attack message, and using the attack time of the attack message as attack duration;
Or,
The attack time of statistical attack message, when the attack time of the attack message reaches default aging duration, by described in
The attack time of attack message is reset, to count the attack time of the attack message again, the attack time that will count again
As attack duration.
5. according to any described method in claim 1-4, it is characterised in that the speed for currently receiving the attack message
Rate, it is prepared by the following:
Obtain the first number of attack message described in the first reception, and the second number of attack message described in the second reception
Mesh, wherein, first moment for currently receive the attack message at the time of, second moment be first moment it
At the time of the preceding reception attack message;
According to first number, second number and first moment, second moment, current reception is calculated
The speed of the attack message.
6. a kind of attack protection device, it is characterised in that described device includes:
List item establishes module, for after attack message is determined according to the speed for receiving TCP SYN messages, establishing attack protection table
;
Judge module, for judging whether the speed for currently receiving the attack message is less than preset strength threshold value;
List item ageing module, for when the speed for currently receiving the attack message is less than default attack strength threshold value,
Attack protection list item described in aging.
7. device according to claim 6, it is characterised in that described device also includes:
List item maintenance module, for being not less than the default attack strength threshold in the speed for currently receiving the attack message
During value, the attack protection list item is maintained.
8. device according to claim 6, it is characterised in that described device also includes:
Duration determining module is attacked, for determining the attack duration of the attack message;
The judge module, is additionally operable to:
Judge whether the attack duration is the integral multiple for presetting aging duration;
If so, then judging whether the speed for currently receiving the attack message is less than preset strength threshold value.
9. device according to claim 8, it is characterised in that the attack duration determining module, be specifically used for:
The attack time of statistical attack message, and using the attack time of the attack message as attack duration;
Or,
The attack time of statistical attack message, when the attack time of the attack message reaches default aging duration, by described in
The attack time of attack message is reset, to count the attack time of the attack message again, the attack time that will count again
As attack duration.
10. according to any described device in claim 6-9, it is characterised in that described device also includes:
Acquisition module, for obtaining the first number of attack message described in the first reception, and attacked described in the second reception
The second number of message is hit, wherein, first moment is at the time of currently receiving the attack message, is second moment
At the time of the attack message being received before first moment;
Computing module, for according to first number, second number and first moment, second moment, meter
Calculate the speed for currently being received the attack message.
11. a kind of router device, it is characterised in that described machine readable to deposit including processor and machinable medium
Storage media is stored with can be by the machine-executable instruction of the computing device, and the processor is by the executable finger of the machine
Order promotes:Realize any described method and steps of claim 1-5.
A kind of 12. machinable medium, it is characterised in that be stored with machine-executable instruction, by processor call and
During execution, the machine-executable instruction promotes the processor:Realize any described method and steps of claim 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710499051.7A CN107547507B (en) | 2017-06-27 | 2017-06-27 | Anti-attack method and device, router equipment and machine readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710499051.7A CN107547507B (en) | 2017-06-27 | 2017-06-27 | Anti-attack method and device, router equipment and machine readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107547507A true CN107547507A (en) | 2018-01-05 |
| CN107547507B CN107547507B (en) | 2021-07-09 |
Family
ID=60970933
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710499051.7A Active CN107547507B (en) | 2017-06-27 | 2017-06-27 | Anti-attack method and device, router equipment and machine readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107547507B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108282492A (en) * | 2018-02-28 | 2018-07-13 | 新华三信息安全技术有限公司 | A kind of Threshold, device, equipment and storage medium |
| CN108777680A (en) * | 2018-05-28 | 2018-11-09 | 中国石油大学(华东) | The defence method and defence installation of a kind of SSDP reflection attacks based on multiple spot defence in Internet of Things |
| CN109309679A (en) * | 2018-09-30 | 2019-02-05 | 国网湖南省电力有限公司 | A kind of Network scan detection method and detection system based on TCP flow state |
| CN109962918A (en) * | 2019-03-28 | 2019-07-02 | 烽火通信科技股份有限公司 | A kind of method, system and the equipment of defensive attack message |
| CN110071939A (en) * | 2019-05-05 | 2019-07-30 | 江苏亨通工控安全研究院有限公司 | The improved method in industrial network is protected for traditional DDOS firewall SYN FLOOD |
| CN110351295A (en) * | 2019-07-22 | 2019-10-18 | 百度在线网络技术(北京)有限公司 | Message detecting method and device, electronic equipment, computer-readable medium |
| CN110365667A (en) * | 2019-07-03 | 2019-10-22 | 杭州迪普科技股份有限公司 | Attack message means of defence, device, electronic equipment |
| CN110535861A (en) * | 2019-08-30 | 2019-12-03 | 杭州迪普信息技术有限公司 | It is a kind of to identify the method and device that SYN packet quantity is counted in ssyn attack behavior |
| CN112087464A (en) * | 2020-09-17 | 2020-12-15 | 北京知道创宇信息技术股份有限公司 | SYN Flood attack cleaning method and device, electronic device and readable storage medium |
| CN113810398A (en) * | 2021-09-09 | 2021-12-17 | 新华三信息安全技术有限公司 | Attack protection method, device, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101163041B (en) * | 2007-08-17 | 2013-10-16 | 中兴通讯股份有限公司 | Method of preventing syn flood and router equipment |
| CN103457953A (en) * | 2013-09-11 | 2013-12-18 | 重庆大学 | Handling mechanism preventing 802.1X protocol attack under security access mode of port |
| US8943586B2 (en) * | 2011-07-29 | 2015-01-27 | Electronics And Telecommunications Research Institute | Methods of detecting DNS flooding attack according to characteristics of type of attack traffic |
| CN105991637A (en) * | 2015-06-15 | 2016-10-05 | 杭州迪普科技有限公司 | Network attack protection method and network attack protection device |
| CN106789954A (en) * | 2016-11-30 | 2017-05-31 | 杭州迪普科技股份有限公司 | A kind of method and apparatus of the DDOS attack identification based on multi -CPU |
-
2017
- 2017-06-27 CN CN201710499051.7A patent/CN107547507B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101163041B (en) * | 2007-08-17 | 2013-10-16 | 中兴通讯股份有限公司 | Method of preventing syn flood and router equipment |
| US8943586B2 (en) * | 2011-07-29 | 2015-01-27 | Electronics And Telecommunications Research Institute | Methods of detecting DNS flooding attack according to characteristics of type of attack traffic |
| CN103457953A (en) * | 2013-09-11 | 2013-12-18 | 重庆大学 | Handling mechanism preventing 802.1X protocol attack under security access mode of port |
| CN105991637A (en) * | 2015-06-15 | 2016-10-05 | 杭州迪普科技有限公司 | Network attack protection method and network attack protection device |
| CN106789954A (en) * | 2016-11-30 | 2017-05-31 | 杭州迪普科技股份有限公司 | A kind of method and apparatus of the DDOS attack identification based on multi -CPU |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108282492A (en) * | 2018-02-28 | 2018-07-13 | 新华三信息安全技术有限公司 | A kind of Threshold, device, equipment and storage medium |
| CN108282492B (en) * | 2018-02-28 | 2021-02-23 | 新华三信息安全技术有限公司 | Threshold determination method, device, equipment and storage medium |
| CN108777680A (en) * | 2018-05-28 | 2018-11-09 | 中国石油大学(华东) | The defence method and defence installation of a kind of SSDP reflection attacks based on multiple spot defence in Internet of Things |
| CN108777680B (en) * | 2018-05-28 | 2020-11-20 | 中国石油大学(华东) | Multipoint defense-based SSDP reflection attack defense method and device in Internet of things |
| CN109309679B (en) * | 2018-09-30 | 2020-10-20 | 国网湖南省电力有限公司 | Network scanning detection method and detection system based on TCP flow state |
| CN109309679A (en) * | 2018-09-30 | 2019-02-05 | 国网湖南省电力有限公司 | A kind of Network scan detection method and detection system based on TCP flow state |
| CN109962918A (en) * | 2019-03-28 | 2019-07-02 | 烽火通信科技股份有限公司 | A kind of method, system and the equipment of defensive attack message |
| CN109962918B (en) * | 2019-03-28 | 2021-11-30 | 烽火通信科技股份有限公司 | Method, system and equipment for defending attack message |
| CN110071939A (en) * | 2019-05-05 | 2019-07-30 | 江苏亨通工控安全研究院有限公司 | The improved method in industrial network is protected for traditional DDOS firewall SYN FLOOD |
| CN110071939B (en) * | 2019-05-05 | 2021-06-29 | 江苏亨通工控安全研究院有限公司 | Improvement method for SYN FLOOD protection of traditional DDOS firewall in industrial network |
| CN110365667A (en) * | 2019-07-03 | 2019-10-22 | 杭州迪普科技股份有限公司 | Attack message means of defence, device, electronic equipment |
| CN110351295A (en) * | 2019-07-22 | 2019-10-18 | 百度在线网络技术(北京)有限公司 | Message detecting method and device, electronic equipment, computer-readable medium |
| CN110535861A (en) * | 2019-08-30 | 2019-12-03 | 杭州迪普信息技术有限公司 | It is a kind of to identify the method and device that SYN packet quantity is counted in ssyn attack behavior |
| US20210067534A1 (en) * | 2019-08-30 | 2021-03-04 | Hangzhou Dptech Technologies Co., Ltd. | Counting syn packets |
| CN110535861B (en) * | 2019-08-30 | 2022-01-25 | 杭州迪普信息技术有限公司 | Method and device for counting SYN packet number in SYN attack behavior identification |
| US11677769B2 (en) | 2019-08-30 | 2023-06-13 | Hangzhou Dptech Technologies Co., Ltd. | Counting SYN packets |
| CN112087464A (en) * | 2020-09-17 | 2020-12-15 | 北京知道创宇信息技术股份有限公司 | SYN Flood attack cleaning method and device, electronic device and readable storage medium |
| CN113810398A (en) * | 2021-09-09 | 2021-12-17 | 新华三信息安全技术有限公司 | Attack protection method, device, equipment and storage medium |
| CN113810398B (en) * | 2021-09-09 | 2023-09-26 | 新华三信息安全技术有限公司 | Attack protection method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107547507B (en) | 2021-07-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107547507A (en) | A kind of anti-attack method, device, router device and machinable medium | |
| Chen et al. | CBF: a packet filtering method for DDoS attack defense in cloud environment | |
| CN106453215B (en) | A kind of defence method of network attack, apparatus and system | |
| US9948661B2 (en) | Method and apparatus for detecting port scans in a network | |
| CN103561048B (en) | A kind of method and device determining that tcp port scans | |
| US20200204472A1 (en) | Data packet sending method and apparatus in ipv6 network | |
| CN105474602B (en) | The method, apparatus and equipment of attack stream are identified in software defined network | |
| CN105939332B (en) | Defend the method and device of ARP attack message | |
| CN105812318B (en) | For preventing method, controller and the system of attack in a network | |
| CN105577669B (en) | A kind of method and device of the false source attack of identification | |
| CN107547503A (en) | A kind of session entry processing method and processing device | |
| CN106131027A (en) | A kind of exception flow of network based on software defined network detection system of defense | |
| CN105282152B (en) | A kind of method of abnormal traffic detection | |
| CN106657126B (en) | The device and method of detection and defending DDoS (Distributed Denial of Service) attacks | |
| CN107666473A (en) | The method and controller of a kind of attack detecting | |
| CN109587167A (en) | A kind of method and apparatus of Message processing | |
| Alexander et al. | Off-path round trip time measurement via TCP/IP side channels | |
| CN110266668A (en) | A kind of detection method and device of port scan behavior | |
| CN104506559B (en) | DDoS defense system and method based on Android system | |
| CN110912912A (en) | Method and device for switching IP credit detection mode | |
| CN105871661A (en) | Public network server detection method and detection server | |
| CN105939321B (en) | A kind of DNS attack detection method and device | |
| CN107454065A (en) | A kind of means of defence and device of UDP Flood attacks | |
| CN109286584A (en) | Fragmentation and reassembly method, device and equipment in a kind of multiple nucleus system | |
| CN114338120A (en) | Segment scanning attack detection method, device, medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |