CN108449280B - Method and device for avoiding ping-pong of TCP (Transmission control protocol) messages - Google Patents
Method and device for avoiding ping-pong of TCP (Transmission control protocol) messages Download PDFInfo
- Publication number
- CN108449280B CN108449280B CN201710083050.4A CN201710083050A CN108449280B CN 108449280 B CN108449280 B CN 108449280B CN 201710083050 A CN201710083050 A CN 201710083050A CN 108449280 B CN108449280 B CN 108449280B
- Authority
- CN
- China
- Prior art keywords
- message
- confirmation
- client
- confirmation message
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/19—Flow control; Congestion control at layers above the network layer
- H04L47/193—Flow control; Congestion control at layers above the network layer at the transport layer, e.g. TCP related
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/12—Avoiding congestion; Recovering from congestion
- H04L47/125—Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/26—Flow control; Congestion control using explicit feedback to the source, e.g. choke packets
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for avoiding TCP (Transmission control protocol) message ping-pong, wherein the method comprises the following steps: the server configures a first confirmation message based on the received TCP message, and sends the first confirmation message to the client; under the condition that the server side receives a second confirmation message sent by the client side, the server side judges whether the second confirmation message is legal or not; if the second confirmation message is judged to be legal, the server side sends the first confirmation message to the client side again; otherwise, the server stops sending the first confirmation message to the client. The method and the device for avoiding ping-pong of the TCP message effectively avoid the continuous sending of a large number of ping-pong messages by two ends of the TCP connection under the condition that the TCP connection is attacked by data injection or under other abnormal conditions, and effectively reduce the consumption of CPU resources and the occupation of network bandwidth caused by the continuous sending of a large number of ping-pong messages by the two ends of the continuous TCP connection.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for avoiding ping-pong of a TCP packet.
Background
TCP (Transmission Control Protocol) is a connection-oriented, reliable transport layer communication Protocol based on a byte stream. TCP establishes connection through three-way handshake negotiation, and after the connection is established, four-tuple (source IP (Internet Protocol, protocol for interconnection between networks) address, source port, destination IP address and destination port) for identifying the connection is always kept unchanged, so that connection-oriented service is provided; then, reliable and ordered transmission of data is realized through a serial number field and an acknowledgement number field in a TCP message header and a retransmission and acknowledgement mechanism is assisted; in addition, TCP realizes flow control of the sending end through a receiving window, and realizes congestion control of the network through a congestion window.
The TCP protocol was originally designed without fully considering the security, which is mainly dependent on the uncertainty of its quadruplet and the randomness of the sequence number and the acknowledgement number. Before RFC5961-Improving TCP's Robustness to Blind In-Window Attacks (which improves Robustness of Window Blind Attacks on TCP), blind In-Window Attacks (Window Blind Attacks) have been the main attack means for TCP protocols, and once sequence numbers of forged data packets fall within an acceptable range, an attacker can inject malicious data into a TCP connection or directly reset the connection. However, RFC5961, which is intended to improve TCP security, introduces a security hole numbered CVE-2016-5696, with which an attacker can more quickly implement a malicious data injection attack.
The impact of malicious data injection attacks is very severe. For the terminal user, it can insert the phishing website on the WEB page that is normally browsed, so that the terminal user suffers from property loss and personal information leakage; it can tamper with the data transmitted by the user at will, so that a reliable TCP transmission becomes no longer reliable. For data communication equipment, besides the above effects, malicious data injection attack causes a large amount of TCP ping-pong messages at two ends of a connection, and also greatly consumes CPU resources of the system, which affects normal operation of other protocols in the system, and the whole system is in a denial of service state in severe cases.
Malicious data injection attacks cause TCP messages at both ends of a connection to ping-pong as shown in figure 1. After receiving the data injection attack message, the Server (Server) normally sends a confirmation message to the Client (Client), because the confirmation number of the confirmation message is larger than the serial number sent by the Client, the Client is triggered to respond to a confirmation message, and the serial number of the confirmation message responded by the Client is smaller than the serial number expected to be received by the Server, the Server is triggered to send the confirmation message again, and the cycle is repeated, so that the two ends of the normal TCP connection continuously send ping-pong messages.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method and an apparatus for avoiding ping-pong of TCP messages, which overcome the defects in the prior art that after a TCP connection is attacked by data injection, both ends of the TCP connection continuously send a large number of ping-pong messages, which causes consumption of CPU (Central Processing Unit) resources and occupation of network bandwidth.
The technical scheme adopted by the invention is that the method for avoiding transmission control protocol TCP message ping-pong comprises the following steps:
the server configures a first confirmation message based on the received TCP message, and sends the first confirmation message to a client so that the client can judge whether the first confirmation message is legal or not;
under the condition that the server side receives a second confirmation message sent by the client side, the server side judges whether the second confirmation message is legal or not; if the second confirmation message is judged to be legal, the server side sends the first confirmation message to the client side again; otherwise, the server stops sending the first confirmation message to the client.
Further, the server configures a first acknowledgement packet based on the received TCP packet, including:
the server configures the acknowledgement number of the TCP message as the serial number of a first acknowledgement message based on the received TCP message, and configures the sum of the serial number and the message length of the TCP message as the acknowledgement number of the first acknowledgement message.
Further, the step of the server side determining whether the second acknowledgment packet is legal includes:
the server side judges whether the serial number of the second confirmation message is smaller than the confirmation number of the first confirmation message;
if yes, judging that the second confirmation message is legal; otherwise, the second confirmation message is judged to be illegal.
The invention also provides a device for avoiding transmission control protocol TCP message ping-pong, which is arranged at the server end and comprises:
the configuration module is used for configuring a first confirmation message based on the received TCP message and sending the first confirmation message to a client so that the client can judge whether the first confirmation message is legal or not;
the first judgment module is used for judging whether a second confirmation message is legal or not after the configuration module sends the first confirmation message to a client and under the condition of receiving the second confirmation message sent by the client; if the second confirmation message is judged to be legal, the first confirmation message is sent to the client again; otherwise, the first confirmation message is stopped being sent to the client.
Further, the configuring a first acknowledgement packet based on the received TCP packet includes:
based on the received TCP message, configuring the acknowledgement number of the TCP message as the serial number of the first acknowledgement message, and configuring the sum of the serial number and the message length of the TCP message as the acknowledgement number of the first acknowledgement message.
Further, the determining whether the second acknowledgment packet is legal includes:
judging whether the serial number of the second confirmation message is smaller than the confirmation number of the first confirmation message;
if so, judging that the second confirmation message is legal; otherwise, the second confirmation message is judged to be illegal.
The invention also provides a method for avoiding transmission control protocol TCP message ping-pong, which comprises the following steps:
the client judges whether the received first confirmation message sent by the server is legal or not;
if the first confirmation message is judged to be legal, the client sends a challenge confirmation message to the server, and judges whether the number of the challenge confirmation messages is smaller than a first preset value within a set time length; otherwise, the client stops responding;
if the sending quantity of the challenge confirmation messages is smaller than a first preset value within a set time length, the client configures second confirmation messages and sends the second confirmation messages to the server side so that the server side can judge whether the second confirmation messages are legal or not; otherwise the client stops responding.
Further, the determining, by the client, whether the received first acknowledgment packet sent by the server is legal includes:
the client judges whether the received confirmation number of the first confirmation message sent by the server is larger than the maximum value of the serial number of the data sent by the client;
if yes, the first confirmation message is judged to be legal; otherwise, the first confirmation message is judged to be illegal.
Further, the configuring, by the client, a second acknowledgement packet includes:
and configuring the maximum value of the serial number of the data sent by the client as the serial number of a second confirmation message, and configuring the serial number of the first confirmation message as the confirmation number of the second confirmation message.
The invention also provides a device for avoiding transmission control protocol TCP message ping-pong, which is arranged at the client and comprises:
the second judgment module is used for judging whether the received first confirmation message sent by the server side is legal or not;
the challenge confirmation module is used for sending a challenge confirmation message to the server side if the first confirmation message is judged to be legal, and judging whether the number of the challenge confirmation messages in a set time length is smaller than a first preset value or not; otherwise, stopping response;
the feedback module is used for configuring a second confirmation message if the sending quantity of the challenge confirmation messages is smaller than a first preset value within a set time length, and sending the second confirmation message to the server side so that the server side can judge whether the second confirmation message is legal or not; otherwise, the response is stopped.
Further, the determining whether the received first acknowledgment packet sent by the server is legal includes:
judging whether the received confirmation number of a first confirmation message sent by the server side is larger than the maximum value of the serial number of the data sent by the client side;
if yes, the first confirmation message is judged to be legal; otherwise, the first confirmation message is judged to be illegal.
Further, the configuring a second acknowledgement packet includes:
and the client configures the serial number of the second confirmation message as the maximum value of the serial number of the data sent by the client, and configures the confirmation number of the second confirmation message as the serial number of the first confirmation message.
The invention also provides a method for avoiding transmission control protocol TCP message ping-pong, which comprises the following steps:
when the communication system end monitors that the client receives a first confirmation message sent by the server end and sends a challenge confirmation message to the server end, the communication system end judges whether the number of the challenge confirmation messages in a set time length is smaller than a second preset value;
if the number of the challenge confirmation messages in the set time length is smaller than a second preset value, the communication system end controls the client to send a second confirmation message to the server end; otherwise, the communication system end controls the client end to stop responding.
Further, the sequence number of the second acknowledgement packet is the maximum value of the sequence number of the data sent by the client;
and the acknowledgement number of the second acknowledgement message is the serial number of the first acknowledgement message.
The invention also provides a device for avoiding transmission control protocol TCP message ping-pong, which is arranged at the communication system end and comprises:
the third judging module is used for judging whether the number of the challenge confirmation messages in the set time length is smaller than a second preset value or not by the communication system end when the client is monitored to receive the first confirmation message sent by the server end and send the challenge confirmation message to the server end;
the execution module is used for controlling the client to send a second confirmation message to the server if the number of the challenge confirmation messages in the set time length is smaller than a second preset value; otherwise, the communication system end controls the client end to stop responding.
Further, the sequence number of the second acknowledgement packet is the maximum value of the sequence number of the data sent by the client;
and the acknowledgement number of the second acknowledgement message is the serial number of the first acknowledgement message.
By adopting the technical scheme, the invention at least has the following advantages:
the method and the device for avoiding ping-pong of the TCP message effectively avoid the two ends (the client end and the server end) of the TCP connection from continuously sending a large number of ping-pong messages under the condition that the TCP connection is attacked by data injection or other abnormal conditions, and effectively reduce the consumption of CPU resources and the occupation of network bandwidth caused by the continuous sending of a large number of ping-pong messages by the two ends of the TCP connection.
Drawings
Fig. 1 is a flowchart of continuously sending a TCP ping-pong message by two ends (a client and a server) of a TCP connection under a condition that the TCP connection is attacked by data injection in the prior art;
FIG. 2 is a flowchart illustrating a method for avoiding ping-pong of TCP messages according to a first embodiment of the present invention;
fig. 3 is a schematic structural diagram of a device for avoiding ping-pong of TCP messages according to a second embodiment of the present invention;
FIG. 4 is a flowchart illustrating a method for avoiding ping-pong of TCP messages according to a third embodiment of the present invention;
fig. 5 is a schematic structural diagram of a device for avoiding ping-pong of TCP messages according to a fourth embodiment of the present invention;
FIG. 6 is a flowchart illustrating a method for avoiding ping-pong of TCP messages according to a fifth embodiment of the present invention;
fig. 7 is a schematic structural diagram of a device for avoiding ping-pong of TCP messages according to a sixth embodiment of the present invention;
fig. 8 is a flowchart of a method for avoiding ping-pong of TCP messages according to a seventh embodiment of the present invention.
Detailed Description
To further explain the technical means and effects of the present invention adopted to achieve the intended purpose, the present invention will be described in detail with reference to the accompanying drawings and preferred embodiments.
A first embodiment of the present invention provides a method for avoiding ping-pong of TCP messages, which comprises the following specific steps, as shown in fig. 2:
step S101, the server configures a first confirmation message based on the received TCP message, and sends the first confirmation message to the client, so that the client can judge whether the first confirmation message is legal or not.
The method for configuring the first acknowledgement message by the server based on the received TCP message includes:
the server configures the acknowledgement number of the TCP message as the serial number of the first acknowledgement message based on the received TCP message, and configures the sum of the serial number and the message length of the TCP message as the acknowledgement number of the first acknowledgement message.
For example: step S101, the server configures a first confirmation message based on the received TCP message, and sends the first confirmation message to the client, so that the client can judge whether the first confirmation message is legal or not.
The server side receives a TCP message with a sequence number of X, an acknowledgement number of Y and a message length of Z;
the method for configuring the first acknowledgement message by the server based on the received TCP message includes:
the server configures the acknowledgement number Y of the TCP message as the serial number of the first acknowledgement message based on the received TCP message, and configures the sum X + Z of the serial number X of the TCP message and the message length Z as the acknowledgement number of the first acknowledgement message.
Step S102, under the condition that the server side receives a second confirmation message sent by the client side, the server side judges whether the second confirmation message is legal or not; if the second confirmation message is judged to be legal, the server side sends the first confirmation message to the client side again; otherwise, the server stops sending the first confirmation message to the client.
The server side judges whether the second confirmation message is legal or not, and the judging comprises the following steps:
the server side judges whether the serial number of the second confirmation message is smaller than the confirmation number of the first confirmation message;
if the serial number of the second confirmation message is smaller than the confirmation number of the first confirmation message, judging that the second confirmation message is legal;
otherwise, the second confirmation message is judged to be illegal.
The method for avoiding ping-pong of the TCP message in the first embodiment of the present invention can effectively avoid that two ends (the client and the server) of the TCP connection continuously send a large amount of ping-pong messages when the TCP connection is attacked by data injection or under other abnormal conditions, and effectively reduce the consumption of CPU resources and the occupation of network bandwidth caused by continuously sending a large amount of ping-pong messages at two ends of the continuous TCP connection.
A second embodiment of the present invention provides a device for avoiding ping-pong of TCP messages, which is disposed at a server side, and as shown in fig. 3, includes the following components:
the configuration module 110 is configured to configure the first acknowledgment packet based on the received TCP packet, and send the first acknowledgment packet to the client, so that the client determines whether the first acknowledgment packet is legal.
The method for configuring the first acknowledgement message based on the received TCP message includes:
based on the received TCP message, configuring the acknowledgement number of the TCP message as the serial number of the first acknowledgement message, and configuring the sum of the serial number and the message length of the TCP message as the acknowledgement number of the first acknowledgement message.
For example: the configuration module 110 is configured to configure, by the server side, the first acknowledgment packet based on the received TCP packet, and send the first acknowledgment packet to the client, so that the client determines whether the first acknowledgment packet is legal.
The server side receives a TCP message with a sequence number of X, an acknowledgement number of Y and a message length of Z;
the method for configuring the first acknowledgement message by the server based on the received TCP message includes:
the server configures the acknowledgement number Y of the TCP message as the serial number of the first acknowledgement message based on the received TCP message, and configures the sum X + Z of the serial number X of the TCP message and the message length Z as the acknowledgement number of the first acknowledgement message.
A first determining module 120, configured to determine whether a second acknowledgment packet is legal or not under the condition of the received second acknowledgment packet sent by the client; if the second confirmation message is judged to be legal, the first confirmation message is sent to the client again; otherwise, the server stops sending the first confirmation message to the client.
Wherein, judging whether the second confirmation message is legal comprises:
judging whether the serial number of the second confirmation message is smaller than the confirmation number of the first confirmation message;
if the serial number of the second confirmation message is smaller than the confirmation number of the first confirmation message, judging that the second confirmation message is legal;
otherwise, the second confirmation message is judged to be illegal.
The device for avoiding ping-pong of the TCP message according to the second embodiment of the present invention can effectively and automatically stop two ends (the client and the server) of the TCP connection from continuously sending a large number of ping-pong messages when the TCP connection is attacked by data injection or under other abnormal conditions, thereby effectively reducing the consumption of CPU resources and the occupation of network bandwidth caused by continuously sending a large number of ping-pong messages at two ends of the continuous TCP connection.
A third embodiment of the present invention provides a method for avoiding ping-pong of TCP messages, which comprises the following specific steps, as shown in fig. 4:
step S301, the client judges whether the received first confirmation message sent by the server is legal or not.
The method for judging whether the received first confirmation message sent by the server side is legal by the client side comprises the following steps:
the client judges whether the received confirmation number of the first confirmation message sent by the server is larger than the maximum value of the serial number of the sent data of the client;
if the confirmation number of the first confirmation message is larger than the maximum value of the serial number of the data sent by the client, judging that the first confirmation message is legal; otherwise, the first confirmation message is judged to be illegal.
For example: the client receives a first confirmation message sent by the server;
the sequence number of the first confirmation message is Y, and the confirmation number is X + Z;
the client judges whether the first confirmation message is legal or not;
the method for judging whether the first confirmation message is legal by the client includes:
the client judges whether the confirmation number X + Z of the first confirmation message is larger than the maximum value X of the serial number of the data sent by the client;
and if the confirmation number X + Z of the first confirmation message is larger than the maximum value X of the serial number of the data sent by the client, judging that the first confirmation message is legal.
Step S302, if the first confirmation message is judged to be legal, the client sends a challenge confirmation (ACK) message to the server, and judges whether the number of the challenge confirmation (ACK) messages is smaller than a first preset value within a set time length; otherwise the client stops responding.
The first preset value is set according to experience, or is set according to the statistical result of limited tests.
For example: step S302, if the first confirmation message is judged to be legal, the client sends a challenge confirmation (ACK) message to the server, and judges whether the number of the challenge confirmation (ACK) messages is less than a first preset value 30 within a set time of 1 second;
and if the first confirmation message is judged to be illegal, the client stops responding.
Step S303, if the sending quantity of the challenge Acknowledgement (ACK) messages is smaller than a first preset value within a set time length, the client configures a second acknowledgement message, and sends the second acknowledgement message to the server side so that the server side can judge whether the second acknowledgement message is legal or not; otherwise the client stops responding.
The client configures a second acknowledgement message, including:
the client configures the maximum value of the serial number of the data sent by the client as the serial number of the second confirmation message, and configures the serial number of the first confirmation message as the confirmation number of the second confirmation message.
For example: step S303, if the sending quantity 20 of the challenge Acknowledgement (ACK) messages is smaller than the first preset value 30 within the set time length of 1 second, the client configures a second acknowledgement message, and sends the second acknowledgement message to the server, so that the server can judge whether the second acknowledgement message is legal or not.
The client configures a second acknowledgement message, including:
the client configures the maximum value X of the serial numbers of the data sent by the client as the serial number of the second confirmation message, and configures the serial number Y of the first confirmation message as the confirmation number of the second confirmation message.
For another example: in step S303, if the sending number 40 of the challenge Acknowledgement (ACK) packets is not less than the first preset value 30 within a set time period of 1 second, the client stops responding.
The method for avoiding ping-pong of the TCP message according to the third embodiment of the present invention can effectively and automatically stop two ends (the client and the server) of the TCP connection from continuously sending a large number of ping-pong messages when the TCP connection is attacked by data injection or under other abnormal conditions, thereby effectively reducing the consumption of CPU resources and the occupation of network bandwidth caused by continuously sending a large number of ping-pong messages at two ends of the continuous TCP connection.
In a fourth embodiment of the present invention, a device for avoiding ping-pong of TCP messages is disposed at a client, and as shown in fig. 5, the device includes the following components:
the second determining module 210 is configured to determine whether the received first acknowledgment packet sent by the server is legal.
The method for judging whether the received first confirmation message sent by the server side is legal or not comprises the following steps:
judging whether the received confirmation number of the first confirmation message sent by the server side is larger than the maximum value of the serial number of the sent data of the client side;
if the confirmation number of the first confirmation message is larger than the maximum value of the serial number of the data sent by the client, judging the first confirmation message to be legal; otherwise, the first confirmation message is judged to be illegal.
For example: the second determining module 210 is configured to receive a first acknowledgement packet sent by a server;
the sequence number of the first confirmation message is Y, and the confirmation number is X + Z;
judging whether the first confirmation message is legal or not;
the method for judging whether the first confirmation message is legal or not comprises the following steps:
judging whether the confirmation number X + Z of the first confirmation message is larger than the maximum value X of the serial number of the data sent by the client;
and if the confirmation number X + Z of the first confirmation message is larger than the maximum value X of the serial number of the data sent by the client, judging that the first confirmation message is legal.
The challenge confirmation module 220 is configured to send a challenge confirmation (ACK) message to the server if the first confirmation message is determined to be legal, and determine whether the number of the challenge confirmation (ACK) messages in a set time duration is smaller than a first preset value; otherwise the client stops responding.
The first preset value is set according to experience, or is set according to the statistical result of limited tests.
For example: the challenge confirmation module 220 is configured to send a challenge confirmation (ACK) message to the server if the first confirmation message is determined to be legal, and determine whether the number of the challenge confirmation (ACK) messages is smaller than the first preset value 30 within 1 second of a set time;
and if the first confirmation message is judged to be illegal, the client stops responding.
A feedback module 230, configured to configure a second acknowledgement message if the sending quantity of the challenge Acknowledgement (ACK) messages is less than the first preset value within a set time length, and send the second acknowledgement message to the server side, so that the server side determines whether the second acknowledgement message is legal; otherwise, the response is stopped.
Wherein configuring the second acknowledgement packet includes:
and configuring the maximum value of the serial number of the data sent by the client as the serial number of the second confirmation message, and configuring the serial number of the first confirmation message as the confirmation number of the second confirmation message. For example: the feedback module 230 is configured to configure a second acknowledgement message and send the second acknowledgement message to the server if the sending number 20 of the challenge Acknowledgement (ACK) messages is smaller than the first preset value 30 within a set time length of 1 second, so that the server determines whether the second acknowledgement message is legal.
Wherein configuring the second acknowledgement packet includes:
and configuring the maximum value X of the serial numbers of the data sent by the client as the serial number of the second confirmation message, and configuring the serial number Y of the first confirmation message as the confirmation number of the second confirmation message. Another example is: the feedback module 230 is configured to stop responding if the sending number 40 of challenge Acknowledgement (ACK) packets is not less than the first preset value 30 within a set time duration of 1 second.
The device for avoiding ping-pong of the TCP message according to the fourth embodiment of the present invention can effectively and automatically stop two ends (the client and the server) of the TCP connection from continuously sending a large amount of ping-pong messages when the TCP connection is attacked by data injection or under other abnormal conditions, thereby effectively reducing the consumption of CPU resources and the occupation of network bandwidth caused by continuously sending a large amount of ping-pong messages at two ends of the continuous TCP connection.
A fifth embodiment of the present invention provides a method for avoiding ping-pong of a TCP packet, as shown in fig. 6, including the following specific steps:
step S501, when the communication system side monitors that the client side receives the first confirmation message sent by the server side and sends a challenge confirmation (ACK) message to the server side, the communication system side judges whether the number of the challenge confirmation (ACK) messages in the set time length is smaller than a second preset value.
The second preset value is set according to experience, or is set according to the statistical result of limited tests, or is set as a random value.
For example: step S501, when the communication system side monitors that the client receives the first acknowledgement message sent by the server side and sends a challenge Acknowledgement (ACK) message to the server side, the communication system side determines whether the number of the challenge Acknowledgement (ACK) messages is less than a second preset value 35 within a set time period of 1 second.
The second preset value is set according to experience, or is set according to the statistical result of limited tests, or is set as a random value.
Step S502, if the number of the challenge Acknowledgement (ACK) messages in the set time length is judged to be less than a second preset value, the communication system end controls the client to send a second ACK message to the server end; otherwise, the communication system end controls the client to stop responding.
The serial number of the second confirmation message is the maximum value of the serial number of the data sent by the client;
the acknowledgement number of the second acknowledgement message is the sequence number of the first acknowledgement message.
For example, in step S502, if it is determined that the number 20 of challenge Acknowledgement (ACK) packets is smaller than the second preset value 35 within a set time duration of 1 second, the communication system controls the client to send a second acknowledgement packet to the server;
the serial number of the second confirmation message is the maximum value of the serial number of the data sent by the client;
the acknowledgement number of the second acknowledgement message is the sequence number of the first acknowledgement message.
For another example: step S502, if it is determined that the number 40 of challenge Acknowledgement (ACK) packets is not less than the second preset value 35 within a set time period of 1 second, the communication system side controls the client to stop responding.
In a sixth embodiment of the present invention, a device for avoiding ping-pong of TCP messages is disposed at a communication system end, and as shown in fig. 7, the device includes the following components:
the third determining module 310 is configured to determine whether the number of challenge Acknowledgement (ACK) packets within a set time length is smaller than a second preset value when it is monitored that the client receives the first acknowledgement packet sent by the server and sends the challenge Acknowledgement (ACK) packet to the server.
The second preset value is set according to experience, or according to the statistical result of limited tests, or is set as a random value.
For example: the third determining module 310 is configured to determine whether the number of challenge Acknowledgement (ACK) packets is less than the second preset value 35 within a set time period of 1 second, when it is monitored that the client receives the first acknowledgement packet sent by the server and sends the challenge Acknowledgement (ACK) packet to the server.
The second preset value is set according to experience, or is set according to the statistical result of limited tests, or is set as a random value.
The execution module 320 is used for controlling the client to send a second confirmation message to the server if the number of challenge confirmation (ACK) messages in the set time length is judged to be less than a second preset value; otherwise, the control client stops responding.
The serial number of the second confirmation message is the maximum value of the serial number of the data sent by the client;
the acknowledgement number of the second acknowledgement message is the sequence number of the first acknowledgement message.
For example, the execution module 320 is configured to control the client to send a second Acknowledgement (ACK) message to the server if it is determined that the number 20 of ACK messages is smaller than a second preset value 35 within a set time duration of 1 second;
the serial number of the second confirmation message is the maximum value of the serial number of the data sent by the client;
the acknowledgement number of the second acknowledgement message is the sequence number of the first acknowledgement message.
For another example: and the execution module 320 is used for controlling the client to stop responding if the number 40 of the challenge Acknowledgement (ACK) messages is judged to be not less than the second preset value 35 within the set time length of 1 second.
A seventh embodiment of the present invention is, on the basis of the foregoing embodiments, to take a TCP packet ping-pong method as an example, and introduce an application example of the present invention with reference to fig. 8.
S701: an attacker implements malicious data injection attack on a Server (Server) end, wherein the sequence number of an attack message is x, the confirmation number is y, and the message length is z.
S702: when receiving the attack message, the Server sends a first confirmation message with the serial number of y and the confirmation number of x + z to the Client (Client).
S703: when the Client receives the first confirmation message, checking the confirmation number of the first confirmation message, and initiating a challenge ACK (acknowledgement) process by the Client because the confirmation number x + z of the first confirmation message is larger than the maximum value x of the serial number of the data sent by the Client.
S704: in the challenge ACK flow, the Client end checks the number of challenge ACK messages sent by the connection within one second; if the number of the challenge ACK messages sent by the Client end (the connection between the Server end and the Client end) in one second is less than the preset value, jumping to the step S706; otherwise, the process jumps to step S707.
S705: in the challenge ACK flow, the communication system checks the number of challenge ACK messages sent by the communication system within one second, and if the number of challenge ACK messages sent by the system within one second is smaller than a preset random value, the step S706 is skipped; otherwise, the process jumps to step S707.
S706: the Client end sends a second acknowledgement message with the serial number x and the acknowledgement number y to the Server end, and skips to step S708.
S707: the Client end finishes the processing flow and does not send a confirmation message any more;
s708: after receiving the second acknowledgment packet sent by the Client, the Server sends the first acknowledgment packet with the sequence number y and the acknowledgment number x + z to the Client again according to the TCP protocol specification because the sequence number x of the second acknowledgment packet is smaller than the sequence number x + z of the acknowledgment packet expected to be received by the Server, and then jumps to step S703.
While the present invention has been described in connection with the preferred embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
Claims (16)
1. A method for avoiding transmission control protocol TCP message ping-pong is characterized by comprising the following steps:
the server configures a first confirmation message based on the received TCP message, and sends the first confirmation message to the client, so that the client can judge whether the first confirmation message is legal or not;
the server receives the challenge confirmation messages sent by the client, and the number of the received challenge confirmation messages in a set time length is smaller than a first preset value;
under the condition that the server side receives a second confirmation message sent by the client side, the server side judges whether the second confirmation message is legal or not; if the second confirmation message is judged to be legal, the server side sends the first confirmation message to the client side again; otherwise, the server stops sending the first confirmation message to the client.
2. The method according to claim 1, wherein the server configures a first acknowledgement packet based on the received TCP packet, including:
the server configures the acknowledgement number of the TCP message as the serial number of a first acknowledgement message based on the received TCP message, and configures the sum of the serial number and the message length of the TCP message as the acknowledgement number of the first acknowledgement message.
3. The method according to claim 2, wherein the server side determines whether the second acknowledgment packet is legitimate, including:
the server side judges whether the serial number of the second confirmation message is smaller than the confirmation number of the first confirmation message;
if yes, judging that the second confirmation message is legal; otherwise, the second confirmation message is judged to be illegal.
4. The utility model provides a device for avoiding transmission control protocol TCP message ping-pong, sets up in the server side, its characterized in that includes:
the configuration module is used for configuring a first confirmation message based on the received TCP message and sending the first confirmation message to a client so that the client can judge whether the first confirmation message is legal or not;
the first judging module is used for receiving the challenge confirmation messages after the configuration module sends the first confirmation messages to the client, judging whether the second confirmation messages are legal or not under the condition that the number of the challenge confirmation messages received within the set time is smaller than a first preset value and the second confirmation messages sent by the client are received; if the second confirmation message is judged to be legal, the first confirmation message is sent to the client again; otherwise, stopping sending the first confirmation message to the client.
5. The apparatus of claim 4, wherein the configuring of the first acknowledgement message based on the received TCP message comprises:
based on the received TCP message, configuring the acknowledgement number of the TCP message as the serial number of a first acknowledgement message, and configuring the sum of the serial number and the message length of the TCP message as the acknowledgement number of the first acknowledgement message.
6. The apparatus of claim 5, wherein the determining whether the second acknowledgment packet is legitimate comprises:
judging whether the serial number of the second confirmation message is smaller than the confirmation number of the first confirmation message;
if so, judging that the second confirmation message is legal; otherwise, the second confirmation message is judged to be illegal.
7. A method for avoiding transmission control protocol TCP (transmission control protocol) message ping-pong is characterized by comprising the following steps:
the client judges whether the received first confirmation message sent by the server is legal or not;
if the first confirmation message is judged to be legal, the client sends a challenge confirmation message to the server, and judges whether the number of the challenge confirmation messages is smaller than a first preset value within a set time length; otherwise, the client stops responding;
if the sending quantity of the challenge confirmation messages is smaller than a first preset value within a set time length, the client configures second confirmation messages and sends the second confirmation messages to the server side so that the server side can judge whether the second confirmation messages are legal or not; otherwise, the client stops responding.
8. The method according to claim 7, wherein the determining, by the client, whether the received first acknowledgment packet sent by the server is legal comprises:
the client judges whether the received confirmation number of the first confirmation message sent by the server is larger than the maximum value of the serial number of the data sent by the client;
if yes, the first confirmation message is judged to be legal; otherwise, the first confirmation message is judged to be illegal.
9. The method according to claim 7 or 8, wherein the client configures a second acknowledgement message, comprising:
and the client configures the maximum value of the serial number of the data sent by the client as the serial number of a second confirmation message, and configures the serial number of the first confirmation message as the confirmation number of the second confirmation message.
10. The utility model provides a device for avoiding transmission control protocol TCP message ping-pong, sets up in the customer end, its characterized in that includes:
the second judgment module is used for judging whether the received first confirmation message sent by the server side is legal or not;
the challenge confirmation module is used for sending a challenge confirmation message to the server side if the first confirmation message is judged to be legal, and judging whether the number of the challenge confirmation messages in a set time length is smaller than a first preset value or not; otherwise, stopping response;
the feedback module is used for configuring a second confirmation message and sending the second confirmation message to the server side if the sending quantity of the challenge confirmation messages is smaller than a first preset value in a set time length so that the server side can judge whether the second confirmation message is legal or not; otherwise, the response is stopped.
11. The apparatus according to claim 10, wherein the determining whether the received first acknowledgment packet sent by the server side is legal comprises:
judging whether the received confirmation number of a first confirmation message sent by the server side is larger than the maximum value of the serial number of the data sent by the client side;
if yes, the first confirmation message is judged to be legal; otherwise, the first confirmation message is judged to be illegal.
12. The apparatus according to claim 10 or 11, wherein the configuring of the second acknowledgement message comprises:
and configuring the maximum value of the serial number of the data sent by the client as the serial number of a second confirmation message, and configuring the serial number of the first confirmation message as the confirmation number of the second confirmation message.
13. A method for avoiding transmission control protocol TCP message ping-pong is characterized by comprising the following steps:
when the communication system end monitors that the client receives a first confirmation message sent by the server end and sends a challenge confirmation message to the server end, the communication system end judges whether the number of the challenge confirmation messages in a set time length is smaller than a second preset value;
if the number of the challenge confirmation messages in the set time length is smaller than a second preset value, the communication system end controls the client end to send a second confirmation message to the server end; otherwise, the communication system end controls the client end to stop responding.
14. The method according to claim 13, wherein the sequence number of the second acknowledgement packet is the maximum value of the sequence numbers of the data sent by the client;
and the confirmation number of the second confirmation message is the serial number of the first confirmation message.
15. The utility model provides a device for avoiding transmission control protocol TCP message ping-pong, sets up in communication system end, its characterized in that includes:
the third judging module is used for judging whether the number of the challenge confirmation messages in a set time length is less than a second preset value or not by the communication system end when the client is monitored to receive the first confirmation message sent by the server end and send the challenge confirmation message to the server end;
the execution speed is fast, and the execution speed is used for controlling the client to send a second confirmation message to the server if the number of the challenge confirmation messages in the set time length is smaller than a second preset value; otherwise, the communication system end controls the client end to stop responding.
16. The apparatus according to claim 15, wherein the sequence number of the second acknowledgement packet is the maximum value of the sequence numbers of the data sent by the client;
and the confirmation number of the second confirmation message is the serial number of the first confirmation message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710083050.4A CN108449280B (en) | 2017-02-16 | 2017-02-16 | Method and device for avoiding ping-pong of TCP (Transmission control protocol) messages |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710083050.4A CN108449280B (en) | 2017-02-16 | 2017-02-16 | Method and device for avoiding ping-pong of TCP (Transmission control protocol) messages |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108449280A CN108449280A (en) | 2018-08-24 |
| CN108449280B true CN108449280B (en) | 2023-03-07 |
Family
ID=63190528
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710083050.4A Active CN108449280B (en) | 2017-02-16 | 2017-02-16 | Method and device for avoiding ping-pong of TCP (Transmission control protocol) messages |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108449280B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110198298B (en) * | 2018-10-11 | 2021-08-27 | 腾讯科技(深圳)有限公司 | Information processing method, device and storage medium |
| CN110958264A (en) * | 2019-12-13 | 2020-04-03 | 电子科技大学中山学院 | Server communication method based on TCP/IP protocol |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101527632A (en) * | 2008-03-06 | 2009-09-09 | 华为技术有限公司 | Method, device and system for authenticating response messages |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7266754B2 (en) * | 2003-08-14 | 2007-09-04 | Cisco Technology, Inc. | Detecting network denial of service attacks |
| US7114181B2 (en) * | 2004-01-16 | 2006-09-26 | Cisco Technology, Inc. | Preventing network data injection attacks |
-
2017
- 2017-02-16 CN CN201710083050.4A patent/CN108449280B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101527632A (en) * | 2008-03-06 | 2009-09-09 | 华为技术有限公司 | Method, device and system for authenticating response messages |
Non-Patent Citations (2)
| Title |
|---|
| "R2-1700191 UP enhancements for TCP performance".《3GPP tsg_ran\WG2_RL2》.2017, * |
| 深度解答:分析TCP会话劫持全过程情况;网友;《ZOL中关村在线》;20100913;第1-3页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108449280A (en) | 2018-08-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101202742B (en) | Method and system for preventing refusal service attack | |
| US7404210B2 (en) | Method and apparatus for defending against distributed denial of service attacks on TCP servers by TCP stateless hogs | |
| CN101636968A (en) | Method for preventing denial of service attacks using transmission control protocol state transition | |
| CN110266678B (en) | Security attack detection method and device, computer equipment and storage medium | |
| CN100420197C (en) | Method for guarding against attack realized for networked devices | |
| CN102510385A (en) | Method for preventing fragment attack of IP (Internet Protocol) datagram | |
| CN108810008B (en) | Transmission control protocol flow filtering method, device, server and storage medium | |
| CN108449280B (en) | Method and device for avoiding ping-pong of TCP (Transmission control protocol) messages | |
| CN107454065B (en) | Method and device for protecting UDP Flood attack | |
| US7752670B2 (en) | Detecting an attack of a network connection | |
| WO2011012004A1 (en) | Method and system for realizing network flow cleaning | |
| CA2548344A1 (en) | Preventing network reset denial of service attacks | |
| CN104283716A (en) | Data transmission method, equipment and system | |
| KR101463873B1 (en) | Method and apparatus for preventing data loss | |
| EP3417585B1 (en) | Terminal and communication method thereof | |
| CN105991509A (en) | Session processing method and apparatus | |
| CN107395550A (en) | The defence method and server of a kind of network attack | |
| CN104601484B (en) | A kind of TCP unloads the transmitting element of engine | |
| JP4391455B2 (en) | Unauthorized access detection system and program for DDoS attack | |
| KR101269552B1 (en) | Method and apparatus for denial of service detection against incomplete get request of http | |
| TWI427995B (en) | Customer premises equipment and method for avoiding attacks thereof | |
| JP5009200B2 (en) | Network attack detection device and defense device | |
| US20180241770A1 (en) | Communication system and repeater | |
| CN114124489B (en) | Method, cleaning device, equipment and medium for preventing flow attack | |
| KR101449627B1 (en) | Method and apparatus for detecting abnormal session |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |