CN108551446A - SYN message processing methods, device, fire wall and the storage medium of attack protection - Google Patents

SYN message processing methods, device, fire wall and the storage medium of attack protection Download PDF

Info

Publication number
CN108551446A
CN108551446A CN201810308208.8A CN201810308208A CN108551446A CN 108551446 A CN108551446 A CN 108551446A CN 201810308208 A CN201810308208 A CN 201810308208A CN 108551446 A CN108551446 A CN 108551446A
Authority
CN
China
Prior art keywords
address
source
syn
messages
syn messages
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810308208.8A
Other languages
Chinese (zh)
Other versions
CN108551446B (en
Inventor
刘健男
党丽娜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Neusoft Corp
Original Assignee
Neusoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Neusoft Corp filed Critical Neusoft Corp
Priority to CN201810308208.8A priority Critical patent/CN108551446B/en
Publication of CN108551446A publication Critical patent/CN108551446A/en
Application granted granted Critical
Publication of CN108551446B publication Critical patent/CN108551446B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

This disclosure relates to which a kind of SYN message processing methods, device, fire wall and the storage medium of equipment attack protection, improve the performance of fire wall defence SYN Flood attacks.The method includes:Receive SYN messages;When determining that the fire wall is under attack, according to the white list of the source IP address of the SYN messages and structure and other lists, the processing mode to the SYN messages is determined;Wherein, the white list is for storing the successful source IP address of three-way handshake;Other described lists include for storing the blacklist of attack IP address, for verify SYN messages whether be attack message Red List and for store it is to be determined whether be attack at least one of the yellow list of link information, the link information includes source IP address, purpose IP address and port numbers.

Description

SYN message processing methods, device, fire wall and the storage medium of attack protection
Technical field
This disclosure relates to field of computer technology, and in particular, to a kind of SYN message processing methods of attack protection, device, Fire wall and storage medium.
Background technology
SYN Flood (SYN flood attacks) are that (Denial of Service, refusal take a kind of most well-known DoS Business attack) and DDoS (Distributed Denial of Serivce, distributed denial of service attack) attack pattern it One.Its principle is the design defect using TCP (transmission control protocol), and the IP or IP address range that puppet is faked send magnanimity TCP connection SYN (handshake that uses when Synchronous, TCP/IP establish connection) three-way handshake first packet (SYN Message) so that it is half-connection until time-out to be needed to consume memory to keep the state of connection by attacker, so as to cause it is normal its He can not be handled in service, achieve the purpose that attack.
Currently, the method for defence SYN Flood attacks mainly has following manner:The first, the monitoring release connected in vain, This method needs to monitor the connection in unfinished state, these connections is removed after reaching certain threshold value, to discharge resource. However this mode makes no exception for all connections, since the quantity of half-connection caused by SYN Flood attacks is very big, just Normal connection request may be submerged in attack and be released.Second, delay TCB (Thread Control Block, line Program-controlled clamp dog) distribution method, since consumption server resource is primarily due to reach when SYN data messages one, server is just stood TCB is distributed, to occupy resource, since SYN Flood are difficult to set up normal connection, when normal connection is established Reallocation TCB then can effectively mitigate the consumption of server resource after getting up.However this mode only relatively reduces clothes The burden of business device, but still fire wall own resource may be caused to exhaust.
As it can be seen that the method that there is no preferable anti-SYN Flood attacks at present.
Invention content
Purpose of this disclosure is to provide a kind of SYN message processing methods of equipment attack protection, device, fire wall and storages to be situated between Matter improves the performance of fire wall defence SYN Flood attacks.
According to a first aspect of the embodiments of the present invention, a kind of SYN message processing methods of attack protection are provided, fire prevention is applied to Wall, including:
Receive SYN messages;
When determining that the fire wall is under attack, according to the white list of the source IP address of the SYN messages and structure and its His list determines the processing mode to the SYN messages;
Wherein, the white list is for storing the successful source IP address of three-way handshake;Other described lists include for depositing The blacklist of storage attack IP address, for verifying whether SYN messages are the Red List of attack message and for storing to be determined are No at least one of the yellow list of link information for attack, the link information include source IP address, purpose IP address and Port numbers.
Optionally, the fire wall includes given processor and other processors, according to the source IP address of the SYN messages and The white list of structure and other lists determine the processing mode to the SYN messages, including:
The SYN messages are received in the given processor, and verify the source IP address of the SYN messages not in the white name Dan Shi verifies the IP address of the SYN messages whether in the blacklist;
If the given processor determines that the IP address of the SYN messages in the blacklist, abandons the SYN messages;Or, If the given processor determines the IP address of the SYN messages not in the blacklist, determined to this according to the Red List The processing mode of SYN messages;
The SYN messages are received in other described processors, and verify the source IP address of the SYN messages not in the white name Dan Shi determines the processing mode to the SYN messages according to the Red List.
Optionally, the processing mode to the SYN messages is determined according to the Red List, including:
If the source IP address of the SYN messages is not in receiving the Red List of current processor of the SYN messages, by the source IP address is added in the Red List of the current processor, abandons the SYN messages;
If the SYN messages are the source IP address send the 2nd to N number of SYN messages, reply the SYN confirmation messages of mistake; It wherein,, will if receiving the Connection Release message of source IP address transmission after the SYN confirmation messages for replying mistake The source IP address is clipped to from the Red List of the current processor in the white list;
If the SYN messages are the N+1 SYN message that the source IP address is sent, the message is abandoned, by the source IP address It is clipped in the blacklist from the Red List of the current processor.
Optionally, the blacklist includes source IP address blacklist and purpose IP address blacklist, and the method further includes:
The source IP address for by the number of the connection in unfinished state being more than predetermined threshold value is added to the source IP address In blacklist, and hardware configuration is carried out, so that the SYN reports that the source IP address being added in the source IP address blacklist is sent Text is received by the given processor;
It is more than the purpose IP address of predetermined threshold value and corresponding source IP address by the number of the connection in unfinished state It is added in the blacklist of the destination IP address, and carries out hardware configuration, so as to calls request and the destination IP address blacklist In purpose IP address establish connection SYN messages received by the given processor;
The IP address of the SYN messages is verified whether in the blacklist, including:
The given processor verifies the source IP address of the SYN messages whether in the source IP address blacklist, and Verify the SYN messages purpose IP address and source IP address whether in the blacklist of the destination IP address.
Optionally, the method further includes:
By in the white list, the overtime state for not completing the source IP address connected is set to be determined;
According to the white list of the source IP address of the SYN messages and structure and other lists, the processing to the SYN messages is determined Mode, including:
If state of the source IP address of the SYN messages in the white list is to be determined, and the SYN messages are the source IP Address is set to the rear first SYN message sent to be determined, then abandons the SYN messages;
If state of the source IP address of the SYN messages in the white list is to be determined, and it not is this that the SYN messages, which are, Source IP address is set to the rear first SYN message sent to be determined, then replys correct SYN confirmation messages;
If receiving the confirmation message of source IP address transmission in time-out time, Connection Release message is replied, it will be described The state of the source IP address in white list is set to normally, and the source IP address is waited for retransmit SYN messages.
Optionally, the method further includes:
After receiving the confirmation message of source IP address transmission in time-out time and replying Connection Release message, for this The frequency of abnormity of source IP address, which counts, adds one;
When the frequency of abnormity of the source IP address reaches frequency threshold value, it will reply and received after Connection Release message The link information of SYN messages is added in the yellow list, and the source IP address in the white list is labeled as yellow list State;
According to the white list of the source IP address of the SYN messages and structure and other lists, the processing to the SYN messages is determined Mode, including:
If the source IP address of the SYN messages received carries the label of yellow list status in the white list, then According to the link information of the SYN messages received, whether inquiry is in the yellow list;
If in the yellow list, correct SYN confirmation messages are replied, wherein if receiving confirmation in time-out time Message then replys Connection Release message, and the source IP address is waited for retransmit SYN messages, to establish connection;If or, when time-out It is interior not receive confirmation message, and do not receive confirmation message after having replied the SYN confirmation messages of preset times, then by the company It is attack to connect information flag.
According to a second aspect of the embodiments of the present invention, a kind of SYN message process devices of attack protection are provided, fire prevention is applied to Wall, including:
Message receiving module, for receiving SYN messages;
Processing module, for when determining that the fire wall is under attack, according to the source IP address and structure of the SYN messages White list and other lists, determine to the processing modes of the SYN messages;
Wherein, the white list is for storing the successful source IP address of three-way handshake;Other described lists include for depositing The blacklist of storage attack IP address, for verifying whether SYN messages are the Red List of attack message and for storing to be determined are No at least one of the yellow list of link information for attack, the link information include source IP address, purpose IP address and Port numbers.
According to a third aspect of the embodiments of the present invention, a kind of fire wall is provided, including:
Non-transitorycomputer readable storage medium;
Multiple processors, for receiving SYN messages;And when determining that the fire wall is under attack, reported according to the SYN The source IP address of text and the white list of structure and other lists, determine the processing mode to the SYN messages;
Wherein, the white list is for storing the successful source IP address of three-way handshake;Other described lists include for depositing The blacklist of storage attack IP address, for verifying whether SYN messages are the Red List of attack message and for storing to be determined are No at least one of the yellow list of link information for attack, the link information include source IP address, purpose IP address and Port numbers.
Optionally, the multiple processor includes given processor and other processors, and the given processor is used for:
The SYN messages are being received, and are verifying the source IP address of the SYN messages not in the white list, described in verification Whether the IP address of SYN messages is in the blacklist;
If it is determined that the IP address of the SYN messages in the blacklist, abandons the SYN messages;Or, if it is determined that the SYN is reported The IP address of text is determined according to the Red List for the current processor for receiving the SYN messages to the SYN not in the blacklist The processing mode of message;
Other described processors are used for:
The SYN messages are being received, and are verifying the source IP address of the SYN messages not in the white list, according to reception Red List to the current processor of the SYN messages determines the processing mode to the SYN messages.
According to a fourth aspect of the embodiments of the present invention, a kind of computer readable storage medium, the non-transitory meter are provided Calculation machine readable storage medium storing program for executing includes one or more programs, and one or more of programs are any in first aspect for executing Method described in.
In the embodiment of the present disclosure, multiple lists can be built:White name for storing the successful source IP address of three-way handshake It is single, attack the blacklist of IP address, for verifying whether SYN messages are the Red List of attack message and for depositing for store Store up it is to be determined whether be attack link information yellow list.As the relay device between terminal and server, fire wall exists When receiving SYN messages, if it is determined that fire wall is just under attack, can be according to the white of the source IP address of SYN messages and structure List and other lists, to determine how processing SYN messages.In this way, multiple names of multiple functions can be utilized It singly integrates, comprehensively determine whether the SYN messages received are attack message, be conducive to preferably defence SYN Flood Attack improves the performance of fire wall defence SYN Flood attacks.
Other feature and advantage of the disclosure will be described in detail in subsequent specific embodiment part.
Description of the drawings
Attached drawing is for providing further understanding of the disclosure, and a part for constitution instruction, with following tool Body embodiment is used to explain the disclosure together, but does not constitute the limitation to the disclosure.In the accompanying drawings:
Fig. 1 is a kind of flow chart of the SYN message processing methods of attack protection shown according to an exemplary embodiment;
Fig. 2 is the flow chart of the SYN message processing methods carried out according to the given processor shown in an exemplary embodiment;
Fig. 3 is the flow for the SYN message processing methods that the non-designated processor shown according to an exemplary embodiment carries out Figure;
Fig. 4 is a kind of block diagram of fire wall shown according to an exemplary embodiment;
Fig. 5 is a kind of block diagram of the SYN message process devices of attack protection shown according to an exemplary embodiment.
Specific implementation mode
The specific implementation mode of the disclosure is described in detail below in conjunction with attached drawing.It should be understood that this place is retouched The specific implementation mode stated is only used for describing and explaining the disclosure, is not limited to the disclosure.
The backgrounds of the disclosure will be introduced first.Fire wall is provided in the transfer between terminal and server Equipment can be integrated in the firewall device of server end, can also be the firewall box independently of server and terminal. Connection is established between terminal and server, needed after verifying reliability by fire wall, resettled connection.To establish TCP For (Transmission Control Protocol, transmission control protocol) connection, terminal will be established with server and be connected, It needs elder generation to carry out three-way handshake with fire wall, after three-way handshake success, could be established and be connected by fire wall and server.Normally In the case of, the process that terminal carries out three-way handshake with fire wall is as follows:Terminal sends SYN packets to fire wall, and fire wall is based on connecing The SYN messages received reply SYN and confirm packet (i.e. SYN+ACK packets), after terminal receives SYN+ACK packets, send confirm packet again (i.e. ACK packets), three-way handshake are completed.
For fire wall, when carrying out the session of three-way handshake every time, session control table (i.e. session can be established Table), and store session tables so that subsequent data packet carries out the transmission of data using the session tables established.Fire wall Can also each session tables be given to configure expired time, after expired time has arrived, session tables can be deleted.
Based on the above backgrounds, Fig. 1 is a kind of SYN Message processings of attack protection shown according to an exemplary embodiment The flow chart of method, as shown in Figure 1, the SYN message processing methods of the attack protection can be applied in fire wall, including following step Suddenly.
Step S11:Receive SYN messages.
Step S12:According to the white list of the source IP address of the SYN messages and structure and other lists, determines and the SYN is reported The processing mode of text.
In the embodiment of the present disclosure, in order to verify receive be used for establish whether the SYN messages of TCP connection are possible Attack message, multiple lists can be built:For storing the white list of the successful source IP address of three-way handshake, being attacked for storing Hit IP address blacklist, for verify SYN messages whether be attack message Red List and for store it is to be determined whether be The yellow list of the link information of attack.
In step s 11, the SYN messages that fire wall receives can be terminal send be used for ask and server establish The SYN messages of connection, or can also be the SYN messages for being used for asking to establish connection with terminal that server is sent, the disclosure Embodiment is not construed as limiting this.SYN messages carry link information, link information may include source IP address, purpose IP address, The information such as port numbers.
Fire wall is after receiving SYN messages, if fire wall is currently at the state by attack, just according to reception The source IP address of the SYN messages arrived integrates white list and other lists to determine how to handle the SYN messages.The disclosure is real Applying example can integrate, comprehensively determine whether the SYN messages received are attack report using multiple lists of multiple functions Text thereby determines how preferably to handle SYN messages, is conducive to be on the defensive to SYN Flood attacks, it is anti-to improve fire wall The performance of imperial SYN Flood attacks.
For whether how to determine fire wall by attack, the embodiment of the present disclosure is not construed as limiting, below to possible side Formula illustrates.
In one embodiment, alert mode can be set, then can detect fire wall every preset duration and currently locate Whether reach preset quantity threshold value in the number of the connection of unfinished state, when detecting that number reaches preset quantity threshold value, It determines and enters alert mode, just confirm fire wall by attack at this time.Certainly, after entering alert mode, if detecting a Number is not up to preset quantity threshold value, can exit alert mode.
The unfinished connection of the connection of unfinished state i.e. three-way handshake, for example forwarded after SYN messages etc. waiting Receive the Syn states of SYN+ACK messages, replied for the SYN messages received SYN+ACK messages after etc. ACK messages to be received SYN+RECV states.When the number of the connection of this unfinished state is excessive, it is believed that be it is abnormal (such as by SYN Flood attacks), therefore can periodically judge whether fire wall subject to attacks with given threshold, determine by To when attack, alert mode can be entered.
For example, setting preset quantity threshold value as 10,000, it is currently at not every 1 minute (i.e. preset duration) judgement fire wall Whether the connection quantity of completion status reaches 10,000, if reached, illustrates that fire wall may be subject to attacks, into alarm mould Formula often receives a SYN later, will pass through multiple lists of structure to determine how to handle the message received.Into After entering alert mode, if detecting that fire wall is in the connection quantity of unfinished state less than 10,000, alarm mould can be exited Formula.
Such as it can also be by way of proportion threshold value to determine whether to enter alert mode.For example, each 1 Minute judges that fire wall is currently at the connection quantity of unfinished state and whether the ratio of all session connections has reached ratio Example threshold value, reaches and then enters alert mode, otherwise do not enter alert mode or exit alert mode.
In the embodiment of the present disclosure, when not entering into alert mode, it is believed that fire wall is not currently under attack, Can not so several single judgements be carried out to the SYN connections received, but be normally carried out three-way handshake, mould is alerted entering Again by several single judgements come defensive attack after formula.In this way, the number of fire wall under normal circumstances can be promoted According to processing speed, also can preferably be defendd in the case of under attack.
Certainly, regardless of whether under alert mode, the successful source IP address of three-way handshake can be put into white by fire wall In list, the IP address that will determine as attack is put into blacklist, so as to can be relatively accurately according to each under alert mode List carries out attack defending, and specific processing mode is as follows:
1, the structure of white list:After creating session tables based on SYN messages every time, if three-way handshake success, is just inquired Whether white list has the source IP address of the SYN messages, if the source IP address of the SYN messages is not just added to white list In, if there is not dealing with then.White list in the embodiment of the present disclosure is global table, has multiple processors in fire wall In the case of, white list can be inquired and be changed to each processor without lock, and processing speed is very fast.
2, the structure of blacklist:Since generally there are two types of situations for ssyn attack:Host unintentionally more services of active attack Device or multiple host purposefully attack same destination server.Therefore blacklist may include the source IP for being confirmed as attack Location blacklist and it is confirmed as the purpose IP address blacklist attacked.
For same source IP address, if the number of the connection in unfinished state reaches predetermined threshold value, it is believed that It is that same source IP address is carrying out SYN scannings, then this source IP address can be added in source IP address blacklist.In order to Attack source is more accurately determined, predetermined threshold value here can be set as higher numerical value, such as 10,000, etc..In fire wall In the case of with multiple processors, each processor can press the source IP address of the connection in unfinished state and time-out It is ranked up according to number, to find out the source IP address that number is more than predetermined threshold value, is determined as attacking source IP address, is added to source In IP address blacklist.
For same purpose IP address, if the number of the connection in unfinished state reaches predetermined threshold value, can recognize To be that same destination server is attacked by a large amount of hosts, then can be by this purpose IP address and corresponding source IP address It is added in purpose IP address blacklist (it should be appreciated that in purpose IP address blacklist, purpose IP address is with source IP address It stores in pairs, if that the purpose IP address of some SYN message is with same a pair of of destination IP in source IP address and blacklist Location matches with source IP address, can be confirmed as attacking).In order to more accurately determine attack source, predetermined threshold value here can To be set as higher numerical value, such as 10,000, etc..In the case where fire wall has multiple processors, each processor can be with The purpose IP address of connection in unfinished state and time-out is ranked up according to number, is more than default to find out number The purpose IP address of threshold value is added in purpose IP address blacklist.
Since what is stored in blacklist is all attack IP address, in order to achieve the purpose that shunt attack, in disclosure reality It applies in example, blacklist can be inquired by the given processor of setting, that is, fire wall may include given processor and other Processor then receive the SYN messages in given processor, and verifies the source IP address of the SYN messages not in white list, The IP address of SYN messages can be verified whether in blacklist, if given processor determines the IP address of the SYN messages in blacklist In, just abandon the SYN messages;If given processor determines the IP address of the SYN messages not in blacklist, according further to Red List determines the processing mode to the SYN messages.The SYN messages are received in other processors, and verify the SYN messages Source IP address determines the processing mode to the SYN messages not in white list, according to Red List.
In other words, only given processor can verify blacklist, other processors are without verifying blacklist, to reach Most of attack is diverted to the purpose of given processor, avoids the influence of attack traffic normal stream amount.It below will be to specified The mode of processor verification blacklist illustrates.
In one embodiment, can be more than the source IP address of predetermined threshold value by the number of the connection in unfinished state It is added in source IP address blacklist, and carries out hardware configuration, so that is added to the source IP address in source IP address blacklist The SYN messages of transmission are received by the given processor of fire wall;And it is more than by the number of the connection in unfinished state The purpose IP address of predetermined threshold value and corresponding source IP address are added in purpose IP address blacklist, and carry out hardware configuration, It is connect by given processor so as to call request and establish the SYN messages connected with the purpose IP address in purpose IP address blacklist It receives.So whether the IP address of verification SYN messages can be the source IP that given processor verifies the SYN messages in blacklist Address whether in source IP address blacklist, and verify the SYN messages purpose IP address and source IP address whether in purpose In IP address blacklist.
Fire wall can be multi-core firewall, that is, have multiple processors, then any processor is by source IP When location is added to source IP address blacklist, the filter of hardware can be configured so that be added to the source IP of source IP address blacklist The message that address is sent can be received by the given processor in multiple processors, then when carrying out attack defending, only this A given processor can receive the message of the transmission of the source IP address in source IP address blacklist, then naturally also only this refers to Determine processor to need to inquire source IP address blacklist.Given processor can first judge that the SYN is reported when receiving SYN messages Whether the source IP address of text is in white list, if it was not then continue to determine whether in source IP address blacklist, if Words then directly abandon the SYN messages, do not judge Red List further if.
It is confirmed as by the purpose IP address of object of attack and corresponding source IP likewise, purpose IP address blacklist is stored with Address can equally configure the filter of hardware when IP address is added to purpose IP address blacklist so that for addition Message to the purpose IP address of purpose IP address blacklist can be received by the given processor in the multiple processors of fire wall, So when carrying out attack defending, only this given processor can be received for the destination IP in purpose IP address blacklist The message that address is sent, then naturally also only having this given processor to need to inquire purpose IP address blacklist.Designated treatment Device can first judge the source IP address of the SYN messages whether in white list when receiving SYN messages, if it was not then after It is continuous to judge whether purpose IP address appears in purpose IP address blacklist in pairs with source IP address, it is directly lost if if The SYN messages are abandoned, do not judge Red List further if.
For other processors, since blacklist has carried out hardware configuration, other processors can't receive It to the SYN messages of IP address in blacklist, therefore is just not necessarily to inquire blacklist, with determining the source IP of the SYN messages received Location directly carries out further Red List judgement not after white list.
In this way, it can make when by attack, a large amount of attack SYN messages are diverted to specified place Reason device is handled, and is not influenced the normal operation of other processors, is improved the ability of fire wall defensive attack.
The verification mode of Red List will be illustrated below.
In one embodiment, the processing mode to the SYN messages is determined according to Red List, including:If the source IP address Not in receiving the Red List of current processor of the SYN messages, which is added to the red name of current processor Dan Zhong abandons the SYN messages, if the SYN messages are the source IP address send the 2nd to N number of SYN messages, reply mistake SYN confirmation messages;Wherein, after the SYN confirmation messages for replying mistake, if the connection for receiving source IP address transmission is released Message to be put, then is clipped to the source IP address in white list from the Red List of current processor, N is the default value more than 2, If not receiving the Connection Release message of source IP address transmission, do not deal with;If the SYN messages are sent out for the source IP address The N+1 SYN message sent, then abandon the message, which is clipped to black name from the Red List of current processor Dan Zhong;If the source IP address is in the Red List of current processor, and the state of the source IP address is attack, then abandons the report Text.
Red List is per nuclear resource, i.e., each processor has respective Red List, is received for verifying current processor Whether it is attack to SYN messages, the mode that SYN messages are specifically handled based on Red List is as follows:
1, if the Red List that current processor is inquired according to the source IP address of SYN messages creates not in Red List One is added in Red List, and first SYN messages directly abandon.
2, for finding Red List the case where, and the 2nd to N (for example setting N=10) a report sent for a source IP address Text abandons the message and replys the SYN+ACK messages of mistake, waits the Connection Release message that the source IP address to be received is replied (i.e. Reset messages).If receiving reset messages, which is clipped in white list, follow-up source IP address hair The message sent can be used as normal discharge to handle.If not receiving reset messages, do not deal with, continues waiting for the source IP address The next message sent arrives.
3, for finding Red List the case where, and (verified through n times for the N+1 SYN message that a source IP address is sent Afterwards, which does not reply reset messages, it is believed that the source IP address is attack), then the SYN messages are directly abandoned, And the source IP address in Red List is clipped in blacklist.
In the above manner, SYN message of the Red List verification source IP address not in white and black list can be utilized Whether it is attack, to accomplish fully and effectively defensive attack.Meanwhile Red List is the local table per core, can be done in performance To the linear increase with processor quantity.
In one embodiment, in the case of the source IP address of the SYN messages received is in white list, it will usually just Three-way handshake session is often carried out, however is still likely to occur the situation of three-way handshake time-out.Therefore, can surpass in white list When do not complete connection source IP address state be set to it is to be determined.So step S12 may include:If the source IP of the SYN messages State of the address in white list is to be determined, and the SYN messages are that the source IP address is set to rear first sent to be determined A SYN messages then abandon the SYN messages;If state of the source IP address of the SYN messages in white list is to be determined, and should SYN messages are then replied correct SYN and are confirmed not to be that the source IP address is set to the rear first SYN message sent to be determined Message;If receiving the confirmation message of source IP address transmission in time-out time, Connection Release message is replied, it will be in white list The state of the source IP address be set to normally, wait for the source IP address to retransmit SYN messages.
That is, for the source IP address in white list, there is three-way handshake and do not complete and delete in time-out time The case where session tables, it may be possible to, can be into since effective source IP address is sending meaningless SYN scanning attacks One step the source IP address of such case is verified, it is specific as follows:
1, the source IP address of the situation of connection time-out will is set to state undetermined in white list.
2, when state is that source IP address to be determined sends SYN messages again, first SYN message directly abandons.
3, for the SYN messages subsequently sent, correct SYN+ACK messages are replied.
If 4, receiving the ACK messages of source IP address reply in time-out time, reset messages are replied again, etc. It waits for that the source IP address retransmits SYN messages, and the source IP address state is set to normally.
It is without any processing if 5, not receiving the ACK messages of source IP address reply in time-out time.For the source The message for the preceding predetermined number (for example being set as 10) that IP address is sent all does as above processing and (replys correct SYN+ACK After message, ACK messages are waited for), the ACK messages of source IP address reply are not received by when 10 times or more messages remain unchanged, it can be with The source IP address is clipped in blacklist, subsequent packet abandons without exception.
In the above manner, can verify with the presence or absence of the source IP address that may be attack in white list, it can be more preferable The ground SYN messages that receive of processing achieve the purpose that all-around defense is attacked.
In one embodiment, the confirmation message of source IP address transmission and reply can also be received in time-out time After Connection Release message, for the frequency of abnormity counting of the source IP address plus one, then the frequency of abnormity in the source IP address reaches When to frequency threshold value, the link information for having replied the SYN messages received after Connection Release message is added in yellow list, and The source IP address in white list is labeled as yellow list status.Step is 12 to may include:If the source of the SYN messages received IP address carries the label of yellow list status in white list, then according to the link information of the SYN messages received, looks into It askes whether in yellow list;If in yellow list, correct SYN confirmation messages are replied, wherein if being received in time-out time Confirmation message then replys Connection Release message, and the source IP address is waited for retransmit SYN messages, to establish connection;If when time-out It is interior not receive confirmation message, and do not receive confirmation message after having replied the SYN confirmation messages of preset times, then by the company It is attack to connect information flag.
For being marked as source IP address to be determined in white list, after SYN+ACK messages are had sent in verification process, Although having received the ACK messages of source IP address reply, such case is still excessively abnormal, it may be possible to effective Source IP address sends attack message sometimes, sends normal message sometimes, and therefore, exception can be carried out by a such case often occur Number adds 1, when frequency of abnormity reaches frequency threshold value (for example being set as 100 times) yellow list can be built:For reset messages Successful situation adds the link information (i.e. source IP address, purpose IP address, i.e. port numbers) of the SYN messages received in pairs It is added in yellow list, and the source IP address in white list is labeled as yellow list status.The source of the SYN messages so received If IP address is in white list and state is yellow list, need further to inquire the SYN messages link information whether In yellow list, if three-way handshake session is not normally carried out if;If just replying SYN+ACK messages, if receiving this The ACK messages that source IP address is further replied just send reset messages, wait for SYN messages next time that can normally establish connection, If the SYN+ACK messages time-out for attempting reply preset times (for example being set as 3 times) does not receive the source IP address and further returns Multiple ACK messages just abandon the SYN messages, while by the link information in yellow list labeled as attack, subsequent packet is lost without exception It abandons.In the above manner, can accomplish more comprehensively to defend ssyn attack.
In the embodiment of the present disclosure, since for distributed ssyn attack, majority of case is all that attack source control is a large amount of Puppet's machine carry out ssyn attack, in this case puppet's machine when attacking, usually in addition to the IP of puppet's machine itself with Outside, similar source IP address section is besides disguised oneself as to be attacked.For such situation, the disclosure can pass through the side of statistics Method comes out the source IP address section of attacker.For example, being more than 10,000 times according to the number for initiating SYN messages in Red List Source IP address, or it is not successfully completed source IP address of the log-on count more than 10,000 times of three-way handshake, it analyses whether to be likely to occur The network segment, the statistics to reduce the scope can accomplish to understand the possible attack IP address network segment in this way, analyze.About confirmation IP address section can be that an individual thread for processor is executing, periodically at regular intervals, to the IP address being newly added Network segment analysis is carried out, to ensure not influence normal SYN Message processings logic because the network segment is confirmed.
In order to preferably illustrate the technical solution of the disclosure, Fig. 2 and Fig. 3 is referred to, Fig. 2 is received with given processor For process flow after SYN messages, Fig. 3 receives the processing after SYN messages with other processors in addition to given processor For flow, carried out in such a way that white list, blacklist, Red List and yellow list determine processing SYN messages to possible Detailed description.As it can be seen that the embodiment of the present disclosure at least has the following technical effects:
1, the attack defense method based on blacklist, white list, Red List, yellow list, can accomplish when encountering attack The attack that source IP address can be defendd invalid can also defend the effective ssyn attack of source IP address, can functionally accomplish to defend Various types of attack defendings.
The message of blacklist situation is sent directly to specified place by the 2, method based on software and hardware combining by hardware network interface card Manage device so that when meeting with big flow attack, most of attack traffic can be split, and only given processor needs to inquire Blacklist promotes the high-performance of the ability and whole flow of attack defending.
3, effectively ssyn attack type, design this IP address may ensured just per core yellow list for source IP address Normal flow can be unimpeded, can also defend ssyn attack.
4, entire design scheme fully considers the design of each table under multicore architecture, and red name is inquired under big flow attack It is singly local tables, the yellow list of inquiry is also local tables, can accomplish when attack traffic is added to reddish yellow list to be nothing in this way Lock.And it is the global inquiry without lock that most cases, which need white list to be used, blacklist is only given processor inquiry, whole A process can guarantee that multinuclear performance concurrently can be with linear increase with the increase performance of processor.
Fig. 4 is referred to, same inventive concept is based on, the embodiment of the present disclosure provides a kind of fire wall 300, the fire wall 300 May include:
Non-transitorycomputer readable storage medium 301;
Multiple processors 302, for receiving SYN messages;And when determining that the fire wall is under attack, according to the SYN The source IP address of message and the white list of structure and other lists, determine the processing mode to the SYN messages;
Wherein, the white list is used to store the source IP address of the successful SYN messages of three-way handshake;Other described list packets Include for store attack SYN messages IP address blacklist, for verify SYN messages whether be attack message Red List, And for store it is to be determined whether be attack at least one of the yellow list of link information, the link information includes source IP Address, purpose IP address and port numbers.
Optionally, the multiple processor 302 includes given processor and other processors in addition to given processor, institute Given processor is stated to be used for:
The SYN messages are being received, and are verifying the source IP address of the SYN messages not in the white list, described in verification Whether the IP address of SYN messages is in the blacklist;
If it is determined that the IP address of the SYN messages in the blacklist, abandons the SYN messages;Or, if it is determined that the SYN is reported The IP address of text is determined according to the Red List for the current processor for receiving the SYN messages to the SYN not in the blacklist The processing mode of message;
Other described processors are used for:
The SYN messages are being received, and are verifying the source IP address of the SYN messages not in the white list, according to reception Red List to the current processor of the SYN messages determines the processing mode to the SYN messages.
Optionally, the multiple processor 302 is used for:
If the source IP address of the SYN messages is not in receiving the Red List of current processor of the SYN messages, by the source IP address is added in the Red List of the current processor, abandons the SYN messages;
If the SYN messages are the source IP address send the 2nd to N number of SYN messages, reply the SYN confirmation messages of mistake; It wherein,, will if receiving the Connection Release message of source IP address transmission after the SYN confirmation messages for replying mistake The source IP address is clipped to from the Red List of the current processor in the white list;
If the SYN messages are the N+1 SYN message that the source IP address is sent, the message is abandoned, by the source IP address It is clipped in the blacklist from the Red List of the current processor.
Optionally, the blacklist includes source IP address blacklist and purpose IP address blacklist, the multiple processor 302 are additionally operable to:
The source IP address for by the number of the connection in unfinished state being more than predetermined threshold value is added to the source IP address In blacklist, and hardware configuration is carried out, so that the SYN reports that the source IP address being added in the source IP address blacklist is sent Text is received by the given processor;
It is more than the purpose IP address of predetermined threshold value and corresponding source IP address by the number of the connection in unfinished state It is added in the blacklist of the destination IP address, and carries out hardware configuration, so as to calls request and the destination IP address blacklist In purpose IP address establish connection SYN messages received by the given processor;
The given processor is used for:
The source IP address of the SYN messages is verified whether in the source IP address blacklist, and verifies the SYN messages Whether purpose IP address and source IP address are in the blacklist of the destination IP address.
Optionally, the multiple processor 302 is additionally operable to:
By in the white list, the overtime state for not completing the source IP address connected is set to be determined;
If state of the source IP address of the SYN messages in the white list is to be determined, and the SYN messages are the source IP Address is set to the rear first SYN message sent to be determined, then abandons the SYN messages;
If state of the source IP address of the SYN messages in the white list is to be determined, and it not is this that the SYN messages, which are, Source IP address is set to the rear first SYN message sent to be determined, then replys correct SYN confirmation messages;
If receiving the confirmation message of source IP address transmission in time-out time, Connection Release message is replied, it will be described The state of the source IP address in white list is set to normally, and the source IP address is waited for retransmit SYN messages.
Optionally, the multiple processor 302 is additionally operable to:
After receiving the confirmation message of source IP address transmission in time-out time and replying Connection Release message, for this The frequency of abnormity of source IP address, which counts, adds one;
When the frequency of abnormity of the source IP address reaches frequency threshold value, it will reply and received after Connection Release message The link information of SYN messages is added in the yellow list, and the source IP address in the white list is labeled as yellow list State;
If the source IP address of the SYN messages received carries the label of yellow list status in the white list, then According to the link information of the SYN messages received, whether inquiry is in the yellow list;
If in the yellow list, correct SYN confirmation messages are replied, wherein if receiving confirmation in time-out time Message then replys Connection Release message, and the source IP address is waited for retransmit SYN messages, to establish connection;If or, when time-out It is interior not receive confirmation message, and do not receive confirmation message after having replied the SYN confirmation messages of preset times, then by the company It is attack to connect information flag.
Fig. 5 is referred to, same inventive concept is based on, the embodiment of the present disclosure provides a kind of SYN Message processings dress of attack protection 400 are set, fire wall is applied to, which may include:
Message receiving module 401, for receiving SYN messages;
Processing module 402, for when determining that the fire wall is under attack, according to the source IP address of the SYN messages and The white list of structure and other lists determine the processing mode to the SYN messages;
Wherein, the white list is used to store the source IP address of the successful SYN messages of three-way handshake;Other described list packets Include for store attack SYN messages IP address blacklist, for verify SYN messages whether be attack message Red List, And for store it is to be determined whether be attack at least one of the yellow list of link information, the link information includes source IP Address, purpose IP address and port numbers.
In the embodiment that the disclosure is provided, it should be understood that disclosed device and method can pass through others Mode is realized.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the module or unit, Only a kind of division of logic function, formula that in actual implementation, there may be another division manner, such as multiple units or component can be with In conjunction with or be desirably integrated into another system, or some features can be ignored or not executed.
Each function module in each embodiment of the application can be integrated in a processing unit, can also be each Module physically exists alone, can also be during two or more modules are integrated in one unit.Above-mentioned integrated unit both may be used It realizes, can also be realized in the form of SFU software functional unit in the form of using hardware.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product When, it can be stored in a non-transitorycomputer readable storage medium.Based on this understanding, the technical solution of the application Substantially all or part of the part that contributes to existing technology or the technical solution can be with software product in other words Form embody, which is stored in a storage medium, including some instructions use so that one Computer equipment (can be personal computer, server or the network equipment etc.) or processor (processor) execute this Shen Please each embodiment the method all or part of step.And storage medium above-mentioned includes:USB flash disk, mobile hard disk, ROM (Read-Only Memory, read-only memory), RAM (Random Access Memory, random access memory), magnetic disc or The various media that can store program code such as person's CD.
The above, above example are only described in detail to the technical solution to the disclosure, but the above implementation The explanation of example is merely used to help understand disclosed method and its core concept, should not be construed as the limitation to the disclosure.This In the technical scope that the disclosure discloses, the change or replacement that can be readily occurred in should all be covered those skilled in the art Within the protection domain of the disclosure.

Claims (10)

1. a kind of SYN message processing methods of attack protection are applied to fire wall, which is characterized in that the method includes:
Receive SYN messages;
When determining that the fire wall is under attack, according to the white list of the source IP address of the SYN messages and structure and other names It is single, determine the processing mode to the SYN messages;
Wherein, the white list is used to store the source IP address of the successful SYN messages of three-way handshake;Other described lists include using In the blacklist of the IP address of storage attack SYN messages, for verifying whether SYN messages are the Red List of attack message and use In store it is to be determined whether be attack at least one of the yellow list of link information, the link information includes source IP Location, purpose IP address and port numbers.
2. according to the method described in claim 1, it is characterized in that, the fire wall includes given processor and other processing Device determines the processing mode to the SYN messages according to the white list of the source IP address of the SYN messages and structure and other lists, Including:
The SYN messages are received in the given processor, and verify the source IP address of the SYN messages not in the white list When, the IP address of the SYN messages is verified whether in the blacklist;
If the given processor determines that the IP address of the SYN messages in the blacklist, abandons the SYN messages;If or, institute It states given processor and determines the IP address of the SYN messages not in the blacklist, determined according to the Red List and the SYN is reported The processing mode of text;
The SYN messages are received in other described processors, and verify the source IP address of the SYN messages not in the white list When, the processing mode to the SYN messages is determined according to the Red List.
3. according to the method described in claim 2, it is characterized in that, determining the processing to the SYN messages according to the Red List Mode, including:
If the source IP address of the SYN messages is not in receiving the Red List of current processor of the SYN messages, by the source IP Location is added in the Red List of the current processor, abandons the SYN messages;
If the SYN messages are the source IP address send the 2nd to N number of SYN messages, reply the SYN confirmation messages of mistake;Its In, it, should if receiving the Connection Release message of source IP address transmission after the SYN confirmation messages for replying mistake Source IP address is clipped to from the Red List of the current processor in the white list;
If the SYN messages are the N+1 SYN message that the source IP address is sent, the message is abandoned, by the source IP address from institute It states and is clipped in the Red List of current processor in the blacklist.
4. according to the method described in claim 2, it is characterized in that, the blacklist includes source IP address blacklist and destination IP Address blacklist, the method further include:
The source IP address for by the number of the connection in unfinished state being more than predetermined threshold value is added to the black name of the source IP address Dan Zhong, and hardware configuration is carried out, so that the SYN messages that the source IP address being added in the source IP address blacklist is sent are equal It is received by the given processor;
It is more than purpose IP address and the addition of corresponding source IP address of predetermined threshold value by the number of the connection in unfinished state Into the destination IP address blacklist, and carry out hardware configuration so that call request in the blacklist of the destination IP address The SYN messages that purpose IP address establishes connection are received by the given processor;
The IP address of the SYN messages is verified whether in the blacklist, including:
The given processor verifies the source IP address of the SYN messages whether in the source IP address blacklist, and verification Whether the purpose IP address and source IP address of the SYN messages are in the blacklist of the destination IP address.
5. according to the method described in claim 1, it is characterized in that, the method further includes:
By in the white list, the overtime state for not completing the source IP address connected is set to be determined;
According to the white list of the source IP address of the SYN messages and structure and other lists, the processing side to the SYN messages is determined Formula, including:
If state of the source IP address of the SYN messages in the white list is to be determined, and the SYN messages are the source IP address It is set to the rear first SYN message sent to be determined, then abandons the SYN messages;
If state of the source IP address of the SYN messages in the white list is to be determined, and it not is the source IP that the SYN messages, which are, Address is set to the rear first SYN message sent to be determined, then replys correct SYN confirmation messages;
If receiving the confirmation message of source IP address transmission in time-out time, Connection Release message is replied, by the white name The state of the source IP address in list is set to normally, and the source IP address is waited for retransmit SYN messages.
6. according to the method described in claim 5, it is characterized in that, the method further includes:
After receiving the confirmation message of source IP address transmission in time-out time and replying Connection Release message, for the source IP The frequency of abnormity of address, which counts, adds one;
When the frequency of abnormity of the source IP address reaches frequency threshold value, the SYN received after Connection Release message will be replied and reported The link information of text is added in the yellow list, and the source IP address in the white list is labeled as yellow list status;
According to the white list of the source IP address of the SYN messages and structure and other lists, the processing side to the SYN messages is determined Formula, including:
If the source IP address of the SYN messages received carries the label of yellow list status in the white list, then basis The link information of the SYN messages received, whether inquiry is in the yellow list;
If in the yellow list, correct SYN confirmation messages are replied, wherein if receiving confirmation message in time-out time, Connection Release message is then replied, the source IP address is waited for retransmit SYN messages, to establish connection;If or, in time-out time not Confirmation message is received, and confirmation message is not received after having replied the SYN confirmation messages of preset times, then by the link information Labeled as attack.
7. a kind of fire wall, which is characterized in that including:
Non-transitorycomputer readable storage medium;
Multiple processors, for receiving SYN messages;And when determining that the fire wall is under attack, according to the SYN messages The white list of source IP address and structure and other lists determine the processing mode to the SYN messages;
Wherein, the white list is for storing the successful source IP address of three-way handshake;Other described lists include being attacked for storing Hit IP address blacklist, for verify SYN messages whether be attack message Red List and for store it is to be determined whether be At least one of yellow list of the link information of attack, the link information include source IP address, purpose IP address and port Number.
8. fire wall according to claim 7, which is characterized in that the multiple processor includes given processor and other Processor, the given processor are used for:
The SYN messages are being received, and the source IP address for verifying the SYN messages verifies the SYN reports not in the white list Whether the IP address of text is in the blacklist;
If it is determined that the IP address of the SYN messages in the blacklist, abandons the SYN messages;Or, if it is determined that the SYN messages IP address is determined according to the Red List for the current processor for receiving the SYN messages to the SYN messages not in the blacklist Processing mode;
Other described processors are used for:
The SYN messages are being received, and are verifying the source IP address of the SYN messages not in the white list, according to receiving this The Red List of the current processor of SYN messages determines the processing mode to the SYN messages.
9. a kind of SYN message process devices of attack protection are applied to fire wall, which is characterized in that including:
Message receiving module, for receiving SYN messages;
Processing module, for when determining that the fire wall is under attack, according to the white of the source IP address of the SYN messages and structure List and other lists determine the processing mode to the SYN messages;
Wherein, the white list is for storing the successful source IP address of three-way handshake;Other described lists include being attacked for storing Hit IP address blacklist, for verify SYN messages whether be attack message Red List and for store it is to be determined whether be At least one of yellow list of the link information of attack, the link information include source IP address, purpose IP address and port Number.
10. a kind of non-transitorycomputer readable storage medium, which is characterized in that the non-transitory computer-readable storage medium Matter includes one or more programs, and one or more of programs require the side described in any one of 1 to 6 for perform claim Method.
CN201810308208.8A 2018-04-08 2018-04-08 Anti-attack SYN message processing method and device, firewall and storage medium Active CN108551446B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810308208.8A CN108551446B (en) 2018-04-08 2018-04-08 Anti-attack SYN message processing method and device, firewall and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810308208.8A CN108551446B (en) 2018-04-08 2018-04-08 Anti-attack SYN message processing method and device, firewall and storage medium

Publications (2)

Publication Number Publication Date
CN108551446A true CN108551446A (en) 2018-09-18
CN108551446B CN108551446B (en) 2020-11-27

Family

ID=63514233

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810308208.8A Active CN108551446B (en) 2018-04-08 2018-04-08 Anti-attack SYN message processing method and device, firewall and storage medium

Country Status (1)

Country Link
CN (1) CN108551446B (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110213254A (en) * 2019-05-27 2019-09-06 北京神州绿盟信息安全科技股份有限公司 A kind of method and apparatus that Internet protocol IP packet is forged in identification
CN110912907A (en) * 2019-11-28 2020-03-24 杭州迪普科技股份有限公司 Attack protection method and device in SSL handshake phase
CN111083154A (en) * 2019-12-24 2020-04-28 北京网太科技发展有限公司 Safety protection method, device and storage medium
WO2020133603A1 (en) * 2018-12-27 2020-07-02 网宿科技股份有限公司 Dr mode protection method and device
CN111614629A (en) * 2020-04-29 2020-09-01 浙江德迅网络安全技术有限公司 Dynamic defense system and method for CC attack
CN111756713A (en) * 2020-06-15 2020-10-09 Oppo(重庆)智能科技有限公司 Network attack identification method and device, computer equipment and medium
CN112311731A (en) * 2019-07-29 2021-02-02 联合汽车电子有限公司 Vehicle-mounted processor, vehicle-mounted controller and communication method
CN112565309A (en) * 2021-02-26 2021-03-26 腾讯科技(深圳)有限公司 Message processing method, device, equipment and storage medium
CN112714102A (en) * 2020-12-02 2021-04-27 国家计算机网络与信息安全管理中心 SYN Flood attack defense method under multi-core heterogeneous platform
CN112769791A (en) * 2020-12-30 2021-05-07 北京天融信网络安全技术有限公司 Network defense method and device
CN112910831A (en) * 2019-12-04 2021-06-04 中兴通讯股份有限公司 Message matching method and device, firewall equipment and storage medium
CN113709105A (en) * 2021-07-20 2021-11-26 深圳市风云实业有限公司 SYN Flood attack detection method based on counting type bloom filter
CN113783857A (en) * 2021-08-31 2021-12-10 新华三信息安全技术有限公司 Anti-attack method, device, equipment and machine readable storage medium
CN115102781A (en) * 2022-07-14 2022-09-23 中国电信股份有限公司 Network attack processing method, device, electronic equipment and medium
CN115225368A (en) * 2022-07-15 2022-10-21 北京天融信网络安全技术有限公司 Message processing method and device, electronic equipment and storage medium
EP4366236A4 (en) * 2021-10-15 2024-05-08 Huawei Technologies Co., Ltd. Method and apparatus for identifying source address of message

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103916389A (en) * 2014-03-19 2014-07-09 汉柏科技有限公司 Method for preventing HttpFlood attack and firewall
WO2016029126A1 (en) * 2014-08-21 2016-02-25 Verasynth Inc. Secure integration of web and mobile applications with enterprise application servers
CN105827646A (en) * 2016-05-17 2016-08-03 浙江宇视科技有限公司 SYN attack protecting method and device
CN106034056A (en) * 2015-03-18 2016-10-19 北京启明星辰信息安全技术有限公司 Service safety analysis method and system thereof
CN107864156A (en) * 2017-12-18 2018-03-30 东软集团股份有限公司 Ssyn attack defence method and device, storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103916389A (en) * 2014-03-19 2014-07-09 汉柏科技有限公司 Method for preventing HttpFlood attack and firewall
WO2016029126A1 (en) * 2014-08-21 2016-02-25 Verasynth Inc. Secure integration of web and mobile applications with enterprise application servers
CN106034056A (en) * 2015-03-18 2016-10-19 北京启明星辰信息安全技术有限公司 Service safety analysis method and system thereof
CN105827646A (en) * 2016-05-17 2016-08-03 浙江宇视科技有限公司 SYN attack protecting method and device
CN107864156A (en) * 2017-12-18 2018-03-30 东软集团股份有限公司 Ssyn attack defence method and device, storage medium

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020133603A1 (en) * 2018-12-27 2020-07-02 网宿科技股份有限公司 Dr mode protection method and device
CN110213254A (en) * 2019-05-27 2019-09-06 北京神州绿盟信息安全科技股份有限公司 A kind of method and apparatus that Internet protocol IP packet is forged in identification
CN112311731A (en) * 2019-07-29 2021-02-02 联合汽车电子有限公司 Vehicle-mounted processor, vehicle-mounted controller and communication method
CN110912907B (en) * 2019-11-28 2022-08-26 杭州迪普科技股份有限公司 Attack protection method and device in SSL handshake phase
CN110912907A (en) * 2019-11-28 2020-03-24 杭州迪普科技股份有限公司 Attack protection method and device in SSL handshake phase
CN112910831A (en) * 2019-12-04 2021-06-04 中兴通讯股份有限公司 Message matching method and device, firewall equipment and storage medium
CN111083154A (en) * 2019-12-24 2020-04-28 北京网太科技发展有限公司 Safety protection method, device and storage medium
CN111614629A (en) * 2020-04-29 2020-09-01 浙江德迅网络安全技术有限公司 Dynamic defense system and method for CC attack
CN111756713A (en) * 2020-06-15 2020-10-09 Oppo(重庆)智能科技有限公司 Network attack identification method and device, computer equipment and medium
CN111756713B (en) * 2020-06-15 2022-12-27 Oppo广东移动通信有限公司 Network attack identification method and device, computer equipment and medium
CN112714102A (en) * 2020-12-02 2021-04-27 国家计算机网络与信息安全管理中心 SYN Flood attack defense method under multi-core heterogeneous platform
CN112769791A (en) * 2020-12-30 2021-05-07 北京天融信网络安全技术有限公司 Network defense method and device
CN112565309B (en) * 2021-02-26 2021-05-14 腾讯科技(深圳)有限公司 Message processing method, device, equipment and storage medium
CN112565309A (en) * 2021-02-26 2021-03-26 腾讯科技(深圳)有限公司 Message processing method, device, equipment and storage medium
CN113709105A (en) * 2021-07-20 2021-11-26 深圳市风云实业有限公司 SYN Flood attack detection method based on counting type bloom filter
CN113709105B (en) * 2021-07-20 2023-08-29 深圳市风云实业有限公司 SYN Flood attack detection method based on counting type bloom filter
CN113783857A (en) * 2021-08-31 2021-12-10 新华三信息安全技术有限公司 Anti-attack method, device, equipment and machine readable storage medium
CN113783857B (en) * 2021-08-31 2023-11-07 新华三信息安全技术有限公司 Anti-attack method, device, equipment and machine-readable storage medium
EP4366236A4 (en) * 2021-10-15 2024-05-08 Huawei Technologies Co., Ltd. Method and apparatus for identifying source address of message
CN115102781A (en) * 2022-07-14 2022-09-23 中国电信股份有限公司 Network attack processing method, device, electronic equipment and medium
CN115102781B (en) * 2022-07-14 2024-01-09 中国电信股份有限公司 Network attack processing method, device, electronic equipment and medium
CN115225368A (en) * 2022-07-15 2022-10-21 北京天融信网络安全技术有限公司 Message processing method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN108551446B (en) 2020-11-27

Similar Documents

Publication Publication Date Title
CN108551446A (en) SYN message processing methods, device, fire wall and the storage medium of attack protection
CN110445770B (en) Network attack source positioning and protecting method, electronic equipment and computer storage medium
CN101202742B (en) Method and system for preventing refusal service attack
US9288218B2 (en) Securing an accessible computer system
CN107395632B (en) SYN Flood protection method, device, cleaning equipment and medium
CN100518052C (en) Method and apparatus for providing node security in a router of a packet network
EP2790382A1 (en) Protection method and device against attacks
CN110365658B (en) Reflection attack protection and flow cleaning method, device, equipment and medium
US20140325651A1 (en) Method of defending against a spoofing attack by using a blocking server
CN111212096B (en) Method, device, storage medium and computer for reducing IDC defense cost
CN105812318B (en) For preventing method, controller and the system of attack in a network
CN100420197C (en) Method for guarding against attack realized for networked devices
CN104883360A (en) ARP spoofing fine-grained detecting method and system
CN112039887A (en) CC attack defense method and device, computer equipment and storage medium
CN104901953A (en) Distributed detection method and system for ARP (Address Resolution Protocol) cheating
CN108737344B (en) Network attack protection method and device
CN105939322B (en) message attack protection method and device
CN111935108B (en) Cloud data security access control method and device, electronic device and storage medium
CN107454065B (en) Method and device for protecting UDP Flood attack
CN108667829A (en) A kind of means of defence of network attack, device and storage medium
WO2019096104A1 (en) Attack prevention
CN109347810A (en) A kind of method and apparatus handling message
CN109005164A (en) A kind of network system, equipment, network data exchange method and storage medium
JP2019152912A (en) Unauthorized communication handling system and method
CN111901284B (en) Flow control method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant