CN108023866B - Anti-attack processing method and network equipment - Google Patents

Anti-attack processing method and network equipment Download PDF

Info

Publication number
CN108023866B
CN108023866B CN201610971817.2A CN201610971817A CN108023866B CN 108023866 B CN108023866 B CN 108023866B CN 201610971817 A CN201610971817 A CN 201610971817A CN 108023866 B CN108023866 B CN 108023866B
Authority
CN
China
Prior art keywords
tcp
tcp syn
syn message
message
forwarding chip
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610971817.2A
Other languages
Chinese (zh)
Other versions
CN108023866A (en
Inventor
金义亭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201610971817.2A priority Critical patent/CN108023866B/en
Publication of CN108023866A publication Critical patent/CN108023866A/en
Application granted granted Critical
Publication of CN108023866B publication Critical patent/CN108023866B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides an anti-attack processing method and network equipment, wherein the method comprises the following steps: the CPU sends the opened TCP service port number to the hardware forwarding chip, and the hardware forwarding chip discards the TCP SYN message of which the destination port number is not in the range of the TCP service port number, thereby effectively defending TCP SYN attack and saving network equipment resources.

Description

Anti-attack processing method and network equipment
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to an anti-attack processing method and a network device.
Background
SYN (synchronous) Flood is an attack method for sending SYN messages to network equipment by forging a large number of illegal IP (Internet Protocol) addresses, which causes the network equipment to maintain a half-connection state with the illegal IP addresses for a long time, consumes system resources (full load or insufficient memory of a processor) of the network equipment, and affects processing of normal services.
Currently, the main defense method for SYN Flood attack is to send an attack table entry containing TCP (Transmission Control Protocol) SYN attack message quintuple information to a hardware forwarding chip, and the hardware forwarding chip discards or limits the speed of the TCP SYN message hitting the attack table entry, so as to achieve the purposes of defending SYN Flood attack and reducing network device resource consumption. However, the defense method still has some unnecessary resource consumption, for example, when the destination port is not within the range of the service port opened by the present device, the TCP SYN message is still sent to a Central Processing Unit (CPU) for processing, which causes impact on the CPU, and the entry resource of the hardware forwarding chip is still consumed by the non-existent attack entry of the destination port.
Disclosure of Invention
The invention aims to provide an anti-attack processing method and network equipment, which are used for further reducing the resource consumption of the TCPSYN attack on the network equipment.
In order to realize the purpose, the invention provides the technical scheme that:
the invention provides an anti-attack processing method, which is applied to network equipment, wherein the network equipment comprises a Central Processing Unit (CPU) and a hardware forwarding chip, and the method comprises the following steps:
the CPU sends the TCP service port number opened by the equipment to a hardware forwarding chip of the equipment;
when the hardware forwarding chip receives a TCP synchronous SYN message, the hardware forwarding chip judges whether a TCP service port number matched with a destination port number of the TCP SYN message exists or not;
and when the TCP service port number matched with the destination port number of the TCP SYN message does not exist, the hardware forwarding chip discards the TCP SYN message.
The present invention also provides a network device, the device comprising:
the CPU is used for sending the opened transmission control protocol TCP service port number to the hardware forwarding chip;
the hardware forwarding chip is used for judging whether a TCP service port number matched with a destination port number of the TCP SYN message exists or not when the TCP SYN message is received; and when the TCP service port number matched with the destination port number of the TCP SYN message does not exist, discarding the TCP SYN message.
It can be seen from the above description that, in the present invention, the CPU sends the TCP service port number opened by the device to the hardware forwarding chip, and the hardware forwarding chip discards the TCP SYN packet whose destination port number is not within the TCP service port number range of the device, so as to prevent the TCP SYN packet whose destination port number is not within the TCP service port number range of the device from being sent to the CPU, which not only saves the CPU resources, but also saves the table resources in the hardware forwarding chip.
Drawings
FIG. 1 is a flow chart of an anti-attack processing method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a networking shown in an embodiment of the invention;
fig. 3 is a schematic structural diagram of a network device according to an embodiment of the present invention.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the invention, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present invention. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The embodiment of the invention provides an anti-attack processing method, which sends a TCP service port number opened by the equipment to a hardware forwarding chip through a CPU, and the hardware forwarding chip discards a TCP SYN message of which the destination port number is not in the range of the TCP service port number of the equipment, thereby effectively preventing TCP SYN attack and simultaneously further saving the table entry resources of the hardware forwarding chip in network equipment.
Referring to fig. 1, a flowchart of an embodiment of the anti-attack processing method according to the present invention is shown, where the embodiment describes an anti-attack processing procedure of a network device, where the network device generally includes a CPU and a hardware forwarding chip.
Step 101, the CPU sends the TCP service port number opened by the device to the hardware forwarding chip of the device.
In the network equipment providing services based on TCP connection, a CPU opens a corresponding TCP service port number for each service and sends the opened TCP service port number to a hardware forwarding chip of the equipment.
Step 102, when a hardware forwarding chip receives a TCP SYN packet, the hardware forwarding chip determines whether a TCP service port number matching a destination port number of the TCP SYN packet exists.
The TCP connection is realized through a three-way handshake mechanism, namely, the network equipment completes the TCP connection through sequentially interacting SYN messages, SYNACK messages and ACK messages.
When the network device receives the TCP SYN message, the TCP SYN message first enters a hardware forwarding chip of the network device. Since the network device sends all opened TCP service port numbers to the hardware forwarding chip in step 101, that is, the hardware forwarding chip records all opened TCP service port numbers, when receiving the TCP SYN packet, the hardware forwarding chip may determine whether the destination port number is within the range of the opened TCP service port number of the device according to the destination port number of the TCP SYN packet.
Step 103, when there is no TCP service port number matching with the destination port number of the TCP SYN packet, the hardware forwarding chip discards the TCP SYN packet.
For TCP SYN messages with the destination port number not in the range of the opened TCP service port number of the device, the hardware forwarding chip directly discards the messages and does not send the messages to the CPU, so that the CPU resource of the network device can be saved. Meanwhile, the attack table entry matched with the TCP SYN message is not sent to the CPU by the CPU, so that the table entry resource of the hardware forwarding chip is saved.
When the hardware forwarding chip judges that a TCP service port number matched with a destination port number of a TCP SYN message exists, the service to be accessed really exists, the hardware forwarding chip further judges whether an attack table item matched with the message characteristic (such as quintuple information) of the TCP SYN message exists or not, and when the attack table item matched with the message characteristic of the TCP SYN message exists, the currently received TCP SYN message is an confirmed attack message, so that the hardware forwarding chip directly discards the TCP SYN message and does not send the TCP SYN message to a CPU (central processing unit); when judging that the attack table item matched with the message characteristic of the TCP SYN message does not exist, the TCP SYN message is not confirmed to be an attack message, and therefore, the hardware forwarding chip sends the TCP SYN message to the CPU.
The CPU responds to a SYNACK message according to a received TCP SYN message to complete the establishment of subsequent TCP connection, meanwhile, the CPU counts the sending frequency of the TCP SYN message according to the message characteristics of the TCP SYN message, when the sending frequency of the TCP SYN message reaches a preset attack frequency threshold value, the sending frequency of the TCP SYN message is indicated to be too frequent, the TCPSYN message is determined to be an attack message, and the CPU sends an attack table item matched with the message characteristics of the TCP SYN message to a hardware forwarding chip. When the hardware forwarding chip receives the TCP SYN message matched with the attack table item again, the TCP SYN message is directly discarded and cannot be sent to the CPU again, and the purpose of defending against the attack is achieved.
It can be seen from the above description that, in the present invention, the opened TCP service port number is sent to the hardware forwarding chip by the CPU, and the hardware forwarding chip discards the TCP SYN packet whose destination port number is not within the range of the opened TCP service port number of the device, so that the defense efficiency of the network device is improved, and meanwhile, the table resource consumption of the network device in defending the attack is further reduced.
Referring to fig. 2, a schematic diagram of a networking system according to the present invention is shown. The networking includes two network devices, Device1 and Device2, and the Device2 anti-attack processing procedure is introduced by taking the example that the Device2 receives the TCP SYN message sent by the Device 1.
Assuming that Device2 has opened TCP service port numbers 5000 and 6000, the CPU of Device2 sends TCP service port numbers 5000 and 6000 to the hardware forwarding chip of Device 2. When a hardware forwarding chip of Device2 receives a TCP SYN message sent by Device1, a destination port number of the TCP SYN message is obtained, assuming that the destination port number of the TCP SYN message is 2000, the hardware forwarding chip queries TCP service port numbers 5000 and 6000 recorded by the chip, and does not find a TCP service port number matching with the destination port number 2000, which indicates that the service requested by Device1 is not within the service range provided by Device2, so the hardware forwarding chip directly discards the TCP SYN message and does not send the TCP SYN message to the CPU.
Supposing that a hardware forwarding chip of Device2 receives a TCP SYN message of destination port number 5000 sent by Device1, the hardware forwarding chip queries a TCP service port number recorded by the chip, finds a TCP service port number matching with the destination port number 5000, and further determines whether an attack table entry matching with the message feature of the received TCP SYN message exists in the chip, and if a matching attack table entry exists, the hardware forwarding chip directly discards the TCP SYN message and does not send the TCP SYN message to the CPU.
Supposing that a hardware forwarding chip of Device2 receives a TCP SYN message of destination port number 6000 sent by Device1, the hardware forwarding chip queries a TCP service port number recorded by the chip, finds a TCP service port number matched with the destination port number 6000, and further determines whether an attack table item matched with the message feature of the received TCP SYN message exists in the chip, and if no matched attack table item exists, the hardware forwarding chip sends the TCP SYN message to the CPU. The CPU generates SYNACK message according to TCP SYN message and sends it to Device1 through hardware forwarding chip. Meanwhile, the CPU counts the frequency of the Device1 for sending the TCP SYN message to the TCP service port number 6000 according to the message characteristics of the TCP SYN message, when the counted frequency reaches an attack frequency threshold value, the message is determined to be an attack message, and the CPU generates a matched attack table entry according to the message characteristics of the attack message and sends the attack table entry to the hardware forwarding chip. When the hardware forwarding chip of Device2 receives the TCP SYN message of destination port number 6000 sent by Device1 again, the matching attack table entry is directly discarded and not sent to the CPU.
Corresponding to the embodiment of the anti-attack processing method, the invention also provides an embodiment of the network equipment.
Fig. 3 is a schematic structural diagram of a network device according to an embodiment of the present invention. The network device includes a CPU31 and a hardware forwarding chip 32, wherein:
a CPU31, configured to send the opened TCP service port number to the hardware forwarding chip 32;
a hardware forwarding chip 32, configured to, when a TCP SYN packet is received, determine whether a TCP service port number that matches a destination port number of the TCP SYN packet exists; and when the TCP service port number matched with the destination port number of the TCP SYN message does not exist, discarding the TCP SYN message.
Further, the air conditioner is provided with a fan,
the hardware forwarding chip 32 is further configured to, when it is determined that a TCP service port number matching the destination port number of the TCP SYN packet exists, determine whether an attack entry matching the packet feature of the TCP SYN packet exists; and when an attack table item matched with the message characteristics of the TCP SYN message exists, discarding the TCP SYN message.
Further, the air conditioner is provided with a fan,
the hardware forwarding chip 32 is further configured to send the TCP SYN packet to the CPU31 when it is determined that there is no attack entry matching the packet characteristic of the TCP SYN packet.
Further, the air conditioner is provided with a fan,
the CPU31 is further configured to, after receiving the TCP SYN packet sent by the hardware forwarding chip 32, count the sending frequency of the TCP SYN packet according to the packet characteristics of the TCP SYN packet; and when the sending frequency of the TCP SYN message reaches a preset attack frequency threshold value, sending an attack table item matched with the message characteristic of the TCP SYN message to a hardware forwarding chip 32.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (8)

1. An anti-attack processing method is applied to network equipment, the network equipment comprises a Central Processing Unit (CPU) and a hardware forwarding chip, and the method is characterized by comprising the following steps:
the CPU sends the TCP service port number opened by the equipment to a hardware forwarding chip of the equipment;
when the hardware forwarding chip receives a TCP synchronous SYN message, the hardware forwarding chip judges whether a TCP service port number matched with a destination port number of the TCP SYN message exists or not;
and when the TCP service port number matched with the destination port number of the TCP SYN message does not exist, the hardware forwarding chip discards the TCP SYN message.
2. The method of claim 1, wherein when the hardware forwarding chip determines that there is a TCP service port number that matches the destination port number of the TCP syn message, the method further comprises:
the hardware forwarding chip judges whether an attack table item matched with the message characteristic of the TCP SYN message exists or not;
and when an attack table item matched with the message characteristics of the TCP SYN message exists, the hardware forwarding chip discards the TCP SYN message.
3. The method of claim 2, wherein when the hardware forwarding chip determines that there is no attack entry matching the message characteristics of the TCP SYN message, the method further comprises:
and the hardware forwarding chip sends the TCP SYN message to a CPU.
4. The method of claim 3, wherein after the hardware forwarding chip sends the TCP SYN message to a CPU, the method further comprises:
the CPU counts the sending frequency of the TCP SYN message according to the message characteristics of the TCP SYN message;
and when the sending frequency of the TCP SYN message reaches a preset attack frequency threshold value, the CPU sends an attack table item matched with the message characteristic of the TCP SYN message to a hardware forwarding chip.
5. A network device, the device comprising:
the CPU is used for sending the opened transmission control protocol TCP service port number to the hardware forwarding chip;
the hardware forwarding chip is used for judging whether a TCP service port number matched with a destination port number of the TCP SYN message exists or not when the TCP SYN message is received; and when the TCP service port number matched with the destination port number of the TCP SYN message does not exist, discarding the TCP SYN message.
6. The apparatus of claim 5, wherein:
the hardware forwarding chip is further configured to determine whether an attack entry matching the message feature of the TCP SYN message exists when it is determined that a TCP service port number matching the destination port number of the TCP SYN message exists; and when an attack table item matched with the message characteristics of the TCP SYN message exists, discarding the TCP SYN message.
7. The apparatus of claim 6, wherein:
and the hardware forwarding chip is also used for sending the TCP SYN message to a CPU when judging that no attack table item matched with the message characteristic of the TCP SYN message exists.
8. The apparatus of claim 7, wherein:
the CPU is also used for counting the sending frequency of the TCP SYN message according to the message characteristics of the TCP SYN message after receiving the TCP SYN message sent by the hardware forwarding chip; and when the sending frequency of the TCP SYN message reaches a preset attack frequency threshold value, sending an attack table item matched with the message characteristic of the TCP SYN message to a hardware forwarding chip.
CN201610971817.2A 2016-10-28 2016-10-28 Anti-attack processing method and network equipment Active CN108023866B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610971817.2A CN108023866B (en) 2016-10-28 2016-10-28 Anti-attack processing method and network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610971817.2A CN108023866B (en) 2016-10-28 2016-10-28 Anti-attack processing method and network equipment

Publications (2)

Publication Number Publication Date
CN108023866A CN108023866A (en) 2018-05-11
CN108023866B true CN108023866B (en) 2020-10-09

Family

ID=62084688

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610971817.2A Active CN108023866B (en) 2016-10-28 2016-10-28 Anti-attack processing method and network equipment

Country Status (1)

Country Link
CN (1) CN108023866B (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1630248A (en) * 2003-12-19 2005-06-22 北京航空航天大学 SYN flooding attack defence method based on connection request authentication
US7752670B2 (en) * 2004-09-23 2010-07-06 Xiangrong Cai Detecting an attack of a network connection
CN101009662B (en) * 2007-01-31 2010-12-22 杭州华三通信技术有限公司 Message processing method, system and device based on the load balance technology
US7865954B1 (en) * 2007-08-24 2011-01-04 Louisiana Tech Research Foundation; A Division Of Louisiana Tech University Foundation, Inc. Method to detect SYN flood attack
CN101378395B (en) * 2008-10-10 2011-04-06 福建星网锐捷网络有限公司 Method and apparatus for preventing reject access aggression
CN105827646B (en) * 2016-05-17 2019-06-11 浙江宇视科技有限公司 The method and device of ssyn attack protection

Also Published As

Publication number Publication date
CN108023866A (en) 2018-05-11

Similar Documents

Publication Publication Date Title
US9497125B2 (en) Congestion control enforcement in a virtualized environment
US7818795B1 (en) Per-port protection against denial-of-service and distributed denial-of-service attacks
EP2180644B1 (en) Flow consistent dynamic load balancing
CN101800707B (en) Method for establishing stream forwarding list item and data communication equipment
WO2014101758A1 (en) Method, apparatus and device for detecting e-mail bomb
US20040236966A1 (en) Queuing methods for mitigation of packet spoofing
CN110784415B (en) ECN quick response method and device
US7404210B2 (en) Method and apparatus for defending against distributed denial of service attacks on TCP servers by TCP stateless hogs
US7478168B2 (en) Device, method and program for band control
US20140304817A1 (en) APPARATUS AND METHOD FOR DETECTING SLOW READ DoS ATTACK
CN100420197C (en) Method for guarding against attack realized for networked devices
US11863459B2 (en) Packet processing method and apparatus
US9455953B2 (en) Router chip and method of selectively blocking network traffic in a router chip
US7552206B2 (en) Throttling service connections based on network paths
US7464398B2 (en) Queuing methods for mitigation of packet spoofing
WO2019096104A1 (en) Attack prevention
CN110661763A (en) DDoS reflection attack defense method, device and equipment
Kumarasamy et al. An active defense mechanism for TCP SYN flooding attacks
CN108023866B (en) Anti-attack processing method and network equipment
Zhu et al. Research and survey of low-rate denial of service attacks
WO2009092003A1 (en) Network message management device and methods thereof
CN108322402B (en) Message processing method, device and system
CN101605135B (en) Packet transmitting method and device
JP2006345268A (en) Packet filter circuit and packet filter method
US7646724B2 (en) Dynamic blocking in a shared host-network interface

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant