CN108551446A - SYN message processing methods, device, fire wall and the storage medium of attack protection - Google Patents
SYN message processing methods, device, fire wall and the storage medium of attack protection Download PDFInfo
- Publication number
- CN108551446A CN108551446A CN201810308208.8A CN201810308208A CN108551446A CN 108551446 A CN108551446 A CN 108551446A CN 201810308208 A CN201810308208 A CN 201810308208A CN 108551446 A CN108551446 A CN 108551446A
- Authority
- CN
- China
- Prior art keywords
- address
- source
- syn
- messages
- syn messages
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This disclosure relates to which a kind of SYN message processing methods, device, fire wall and the storage medium of equipment attack protection, improve the performance of fire wall defence SYN Flood attacks.The method includes:Receive SYN messages;When determining that the fire wall is under attack, according to the white list of the source IP address of the SYN messages and structure and other lists, the processing mode to the SYN messages is determined;Wherein, the white list is for storing the successful source IP address of three-way handshake;Other described lists include for storing the blacklist of attack IP address, for verify SYN messages whether be attack message Red List and for store it is to be determined whether be attack at least one of the yellow list of link information, the link information includes source IP address, purpose IP address and port numbers.
Description
Technical field
This disclosure relates to field of computer technology, and in particular, to a kind of SYN message processing methods of attack protection, device,
Fire wall and storage medium.
Background technology
SYN Flood (SYN flood attacks) are that (Denial of Service, refusal take a kind of most well-known DoS
Business attack) and DDoS (Distributed Denial of Serivce, distributed denial of service attack) attack pattern it
One.Its principle is the design defect using TCP (transmission control protocol), and the IP or IP address range that puppet is faked send magnanimity
TCP connection SYN (handshake that uses when Synchronous, TCP/IP establish connection) three-way handshake first packet (SYN
Message) so that it is half-connection until time-out to be needed to consume memory to keep the state of connection by attacker, so as to cause it is normal its
He can not be handled in service, achieve the purpose that attack.
Currently, the method for defence SYN Flood attacks mainly has following manner:The first, the monitoring release connected in vain,
This method needs to monitor the connection in unfinished state, these connections is removed after reaching certain threshold value, to discharge resource.
However this mode makes no exception for all connections, since the quantity of half-connection caused by SYN Flood attacks is very big, just
Normal connection request may be submerged in attack and be released.Second, delay TCB (Thread Control Block, line
Program-controlled clamp dog) distribution method, since consumption server resource is primarily due to reach when SYN data messages one, server is just stood
TCB is distributed, to occupy resource, since SYN Flood are difficult to set up normal connection, when normal connection is established
Reallocation TCB then can effectively mitigate the consumption of server resource after getting up.However this mode only relatively reduces clothes
The burden of business device, but still fire wall own resource may be caused to exhaust.
As it can be seen that the method that there is no preferable anti-SYN Flood attacks at present.
Invention content
Purpose of this disclosure is to provide a kind of SYN message processing methods of equipment attack protection, device, fire wall and storages to be situated between
Matter improves the performance of fire wall defence SYN Flood attacks.
According to a first aspect of the embodiments of the present invention, a kind of SYN message processing methods of attack protection are provided, fire prevention is applied to
Wall, including:
Receive SYN messages;
When determining that the fire wall is under attack, according to the white list of the source IP address of the SYN messages and structure and its
His list determines the processing mode to the SYN messages;
Wherein, the white list is for storing the successful source IP address of three-way handshake;Other described lists include for depositing
The blacklist of storage attack IP address, for verifying whether SYN messages are the Red List of attack message and for storing to be determined are
No at least one of the yellow list of link information for attack, the link information include source IP address, purpose IP address and
Port numbers.
Optionally, the fire wall includes given processor and other processors, according to the source IP address of the SYN messages and
The white list of structure and other lists determine the processing mode to the SYN messages, including:
The SYN messages are received in the given processor, and verify the source IP address of the SYN messages not in the white name
Dan Shi verifies the IP address of the SYN messages whether in the blacklist;
If the given processor determines that the IP address of the SYN messages in the blacklist, abandons the SYN messages;Or,
If the given processor determines the IP address of the SYN messages not in the blacklist, determined to this according to the Red List
The processing mode of SYN messages;
The SYN messages are received in other described processors, and verify the source IP address of the SYN messages not in the white name
Dan Shi determines the processing mode to the SYN messages according to the Red List.
Optionally, the processing mode to the SYN messages is determined according to the Red List, including:
If the source IP address of the SYN messages is not in receiving the Red List of current processor of the SYN messages, by the source
IP address is added in the Red List of the current processor, abandons the SYN messages;
If the SYN messages are the source IP address send the 2nd to N number of SYN messages, reply the SYN confirmation messages of mistake;
It wherein,, will if receiving the Connection Release message of source IP address transmission after the SYN confirmation messages for replying mistake
The source IP address is clipped to from the Red List of the current processor in the white list;
If the SYN messages are the N+1 SYN message that the source IP address is sent, the message is abandoned, by the source IP address
It is clipped in the blacklist from the Red List of the current processor.
Optionally, the blacklist includes source IP address blacklist and purpose IP address blacklist, and the method further includes:
The source IP address for by the number of the connection in unfinished state being more than predetermined threshold value is added to the source IP address
In blacklist, and hardware configuration is carried out, so that the SYN reports that the source IP address being added in the source IP address blacklist is sent
Text is received by the given processor;
It is more than the purpose IP address of predetermined threshold value and corresponding source IP address by the number of the connection in unfinished state
It is added in the blacklist of the destination IP address, and carries out hardware configuration, so as to calls request and the destination IP address blacklist
In purpose IP address establish connection SYN messages received by the given processor;
The IP address of the SYN messages is verified whether in the blacklist, including:
The given processor verifies the source IP address of the SYN messages whether in the source IP address blacklist, and
Verify the SYN messages purpose IP address and source IP address whether in the blacklist of the destination IP address.
Optionally, the method further includes:
By in the white list, the overtime state for not completing the source IP address connected is set to be determined;
According to the white list of the source IP address of the SYN messages and structure and other lists, the processing to the SYN messages is determined
Mode, including:
If state of the source IP address of the SYN messages in the white list is to be determined, and the SYN messages are the source IP
Address is set to the rear first SYN message sent to be determined, then abandons the SYN messages;
If state of the source IP address of the SYN messages in the white list is to be determined, and it not is this that the SYN messages, which are,
Source IP address is set to the rear first SYN message sent to be determined, then replys correct SYN confirmation messages;
If receiving the confirmation message of source IP address transmission in time-out time, Connection Release message is replied, it will be described
The state of the source IP address in white list is set to normally, and the source IP address is waited for retransmit SYN messages.
Optionally, the method further includes:
After receiving the confirmation message of source IP address transmission in time-out time and replying Connection Release message, for this
The frequency of abnormity of source IP address, which counts, adds one;
When the frequency of abnormity of the source IP address reaches frequency threshold value, it will reply and received after Connection Release message
The link information of SYN messages is added in the yellow list, and the source IP address in the white list is labeled as yellow list
State;
According to the white list of the source IP address of the SYN messages and structure and other lists, the processing to the SYN messages is determined
Mode, including:
If the source IP address of the SYN messages received carries the label of yellow list status in the white list, then
According to the link information of the SYN messages received, whether inquiry is in the yellow list;
If in the yellow list, correct SYN confirmation messages are replied, wherein if receiving confirmation in time-out time
Message then replys Connection Release message, and the source IP address is waited for retransmit SYN messages, to establish connection;If or, when time-out
It is interior not receive confirmation message, and do not receive confirmation message after having replied the SYN confirmation messages of preset times, then by the company
It is attack to connect information flag.
According to a second aspect of the embodiments of the present invention, a kind of SYN message process devices of attack protection are provided, fire prevention is applied to
Wall, including:
Message receiving module, for receiving SYN messages;
Processing module, for when determining that the fire wall is under attack, according to the source IP address and structure of the SYN messages
White list and other lists, determine to the processing modes of the SYN messages;
Wherein, the white list is for storing the successful source IP address of three-way handshake;Other described lists include for depositing
The blacklist of storage attack IP address, for verifying whether SYN messages are the Red List of attack message and for storing to be determined are
No at least one of the yellow list of link information for attack, the link information include source IP address, purpose IP address and
Port numbers.
According to a third aspect of the embodiments of the present invention, a kind of fire wall is provided, including:
Non-transitorycomputer readable storage medium;
Multiple processors, for receiving SYN messages;And when determining that the fire wall is under attack, reported according to the SYN
The source IP address of text and the white list of structure and other lists, determine the processing mode to the SYN messages;
Wherein, the white list is for storing the successful source IP address of three-way handshake;Other described lists include for depositing
The blacklist of storage attack IP address, for verifying whether SYN messages are the Red List of attack message and for storing to be determined are
No at least one of the yellow list of link information for attack, the link information include source IP address, purpose IP address and
Port numbers.
Optionally, the multiple processor includes given processor and other processors, and the given processor is used for:
The SYN messages are being received, and are verifying the source IP address of the SYN messages not in the white list, described in verification
Whether the IP address of SYN messages is in the blacklist;
If it is determined that the IP address of the SYN messages in the blacklist, abandons the SYN messages;Or, if it is determined that the SYN is reported
The IP address of text is determined according to the Red List for the current processor for receiving the SYN messages to the SYN not in the blacklist
The processing mode of message;
Other described processors are used for:
The SYN messages are being received, and are verifying the source IP address of the SYN messages not in the white list, according to reception
Red List to the current processor of the SYN messages determines the processing mode to the SYN messages.
According to a fourth aspect of the embodiments of the present invention, a kind of computer readable storage medium, the non-transitory meter are provided
Calculation machine readable storage medium storing program for executing includes one or more programs, and one or more of programs are any in first aspect for executing
Method described in.
In the embodiment of the present disclosure, multiple lists can be built:White name for storing the successful source IP address of three-way handshake
It is single, attack the blacklist of IP address, for verifying whether SYN messages are the Red List of attack message and for depositing for store
Store up it is to be determined whether be attack link information yellow list.As the relay device between terminal and server, fire wall exists
When receiving SYN messages, if it is determined that fire wall is just under attack, can be according to the white of the source IP address of SYN messages and structure
List and other lists, to determine how processing SYN messages.In this way, multiple names of multiple functions can be utilized
It singly integrates, comprehensively determine whether the SYN messages received are attack message, be conducive to preferably defence SYN Flood
Attack improves the performance of fire wall defence SYN Flood attacks.
Other feature and advantage of the disclosure will be described in detail in subsequent specific embodiment part.
Description of the drawings
Attached drawing is for providing further understanding of the disclosure, and a part for constitution instruction, with following tool
Body embodiment is used to explain the disclosure together, but does not constitute the limitation to the disclosure.In the accompanying drawings:
Fig. 1 is a kind of flow chart of the SYN message processing methods of attack protection shown according to an exemplary embodiment;
Fig. 2 is the flow chart of the SYN message processing methods carried out according to the given processor shown in an exemplary embodiment;
Fig. 3 is the flow for the SYN message processing methods that the non-designated processor shown according to an exemplary embodiment carries out
Figure;
Fig. 4 is a kind of block diagram of fire wall shown according to an exemplary embodiment;
Fig. 5 is a kind of block diagram of the SYN message process devices of attack protection shown according to an exemplary embodiment.
Specific implementation mode
The specific implementation mode of the disclosure is described in detail below in conjunction with attached drawing.It should be understood that this place is retouched
The specific implementation mode stated is only used for describing and explaining the disclosure, is not limited to the disclosure.
The backgrounds of the disclosure will be introduced first.Fire wall is provided in the transfer between terminal and server
Equipment can be integrated in the firewall device of server end, can also be the firewall box independently of server and terminal.
Connection is established between terminal and server, needed after verifying reliability by fire wall, resettled connection.To establish TCP
For (Transmission Control Protocol, transmission control protocol) connection, terminal will be established with server and be connected,
It needs elder generation to carry out three-way handshake with fire wall, after three-way handshake success, could be established and be connected by fire wall and server.Normally
In the case of, the process that terminal carries out three-way handshake with fire wall is as follows:Terminal sends SYN packets to fire wall, and fire wall is based on connecing
The SYN messages received reply SYN and confirm packet (i.e. SYN+ACK packets), after terminal receives SYN+ACK packets, send confirm packet again
(i.e. ACK packets), three-way handshake are completed.
For fire wall, when carrying out the session of three-way handshake every time, session control table (i.e. session can be established
Table), and store session tables so that subsequent data packet carries out the transmission of data using the session tables established.Fire wall
Can also each session tables be given to configure expired time, after expired time has arrived, session tables can be deleted.
Based on the above backgrounds, Fig. 1 is a kind of SYN Message processings of attack protection shown according to an exemplary embodiment
The flow chart of method, as shown in Figure 1, the SYN message processing methods of the attack protection can be applied in fire wall, including following step
Suddenly.
Step S11:Receive SYN messages.
Step S12:According to the white list of the source IP address of the SYN messages and structure and other lists, determines and the SYN is reported
The processing mode of text.
In the embodiment of the present disclosure, in order to verify receive be used for establish whether the SYN messages of TCP connection are possible
Attack message, multiple lists can be built:For storing the white list of the successful source IP address of three-way handshake, being attacked for storing
Hit IP address blacklist, for verify SYN messages whether be attack message Red List and for store it is to be determined whether be
The yellow list of the link information of attack.
In step s 11, the SYN messages that fire wall receives can be terminal send be used for ask and server establish
The SYN messages of connection, or can also be the SYN messages for being used for asking to establish connection with terminal that server is sent, the disclosure
Embodiment is not construed as limiting this.SYN messages carry link information, link information may include source IP address, purpose IP address,
The information such as port numbers.
Fire wall is after receiving SYN messages, if fire wall is currently at the state by attack, just according to reception
The source IP address of the SYN messages arrived integrates white list and other lists to determine how to handle the SYN messages.The disclosure is real
Applying example can integrate, comprehensively determine whether the SYN messages received are attack report using multiple lists of multiple functions
Text thereby determines how preferably to handle SYN messages, is conducive to be on the defensive to SYN Flood attacks, it is anti-to improve fire wall
The performance of imperial SYN Flood attacks.
For whether how to determine fire wall by attack, the embodiment of the present disclosure is not construed as limiting, below to possible side
Formula illustrates.
In one embodiment, alert mode can be set, then can detect fire wall every preset duration and currently locate
Whether reach preset quantity threshold value in the number of the connection of unfinished state, when detecting that number reaches preset quantity threshold value,
It determines and enters alert mode, just confirm fire wall by attack at this time.Certainly, after entering alert mode, if detecting a
Number is not up to preset quantity threshold value, can exit alert mode.
The unfinished connection of the connection of unfinished state i.e. three-way handshake, for example forwarded after SYN messages etc. waiting
Receive the Syn states of SYN+ACK messages, replied for the SYN messages received SYN+ACK messages after etc. ACK messages to be received
SYN+RECV states.When the number of the connection of this unfinished state is excessive, it is believed that be it is abnormal (such as by
SYN Flood attacks), therefore can periodically judge whether fire wall subject to attacks with given threshold, determine by
To when attack, alert mode can be entered.
For example, setting preset quantity threshold value as 10,000, it is currently at not every 1 minute (i.e. preset duration) judgement fire wall
Whether the connection quantity of completion status reaches 10,000, if reached, illustrates that fire wall may be subject to attacks, into alarm mould
Formula often receives a SYN later, will pass through multiple lists of structure to determine how to handle the message received.Into
After entering alert mode, if detecting that fire wall is in the connection quantity of unfinished state less than 10,000, alarm mould can be exited
Formula.
Such as it can also be by way of proportion threshold value to determine whether to enter alert mode.For example, each 1
Minute judges that fire wall is currently at the connection quantity of unfinished state and whether the ratio of all session connections has reached ratio
Example threshold value, reaches and then enters alert mode, otherwise do not enter alert mode or exit alert mode.
In the embodiment of the present disclosure, when not entering into alert mode, it is believed that fire wall is not currently under attack,
Can not so several single judgements be carried out to the SYN connections received, but be normally carried out three-way handshake, mould is alerted entering
Again by several single judgements come defensive attack after formula.In this way, the number of fire wall under normal circumstances can be promoted
According to processing speed, also can preferably be defendd in the case of under attack.
Certainly, regardless of whether under alert mode, the successful source IP address of three-way handshake can be put into white by fire wall
In list, the IP address that will determine as attack is put into blacklist, so as to can be relatively accurately according to each under alert mode
List carries out attack defending, and specific processing mode is as follows:
1, the structure of white list:After creating session tables based on SYN messages every time, if three-way handshake success, is just inquired
Whether white list has the source IP address of the SYN messages, if the source IP address of the SYN messages is not just added to white list
In, if there is not dealing with then.White list in the embodiment of the present disclosure is global table, has multiple processors in fire wall
In the case of, white list can be inquired and be changed to each processor without lock, and processing speed is very fast.
2, the structure of blacklist:Since generally there are two types of situations for ssyn attack:Host unintentionally more services of active attack
Device or multiple host purposefully attack same destination server.Therefore blacklist may include the source IP for being confirmed as attack
Location blacklist and it is confirmed as the purpose IP address blacklist attacked.
For same source IP address, if the number of the connection in unfinished state reaches predetermined threshold value, it is believed that
It is that same source IP address is carrying out SYN scannings, then this source IP address can be added in source IP address blacklist.In order to
Attack source is more accurately determined, predetermined threshold value here can be set as higher numerical value, such as 10,000, etc..In fire wall
In the case of with multiple processors, each processor can press the source IP address of the connection in unfinished state and time-out
It is ranked up according to number, to find out the source IP address that number is more than predetermined threshold value, is determined as attacking source IP address, is added to source
In IP address blacklist.
For same purpose IP address, if the number of the connection in unfinished state reaches predetermined threshold value, can recognize
To be that same destination server is attacked by a large amount of hosts, then can be by this purpose IP address and corresponding source IP address
It is added in purpose IP address blacklist (it should be appreciated that in purpose IP address blacklist, purpose IP address is with source IP address
It stores in pairs, if that the purpose IP address of some SYN message is with same a pair of of destination IP in source IP address and blacklist
Location matches with source IP address, can be confirmed as attacking).In order to more accurately determine attack source, predetermined threshold value here can
To be set as higher numerical value, such as 10,000, etc..In the case where fire wall has multiple processors, each processor can be with
The purpose IP address of connection in unfinished state and time-out is ranked up according to number, is more than default to find out number
The purpose IP address of threshold value is added in purpose IP address blacklist.
Since what is stored in blacklist is all attack IP address, in order to achieve the purpose that shunt attack, in disclosure reality
It applies in example, blacklist can be inquired by the given processor of setting, that is, fire wall may include given processor and other
Processor then receive the SYN messages in given processor, and verifies the source IP address of the SYN messages not in white list,
The IP address of SYN messages can be verified whether in blacklist, if given processor determines the IP address of the SYN messages in blacklist
In, just abandon the SYN messages;If given processor determines the IP address of the SYN messages not in blacklist, according further to
Red List determines the processing mode to the SYN messages.The SYN messages are received in other processors, and verify the SYN messages
Source IP address determines the processing mode to the SYN messages not in white list, according to Red List.
In other words, only given processor can verify blacklist, other processors are without verifying blacklist, to reach
Most of attack is diverted to the purpose of given processor, avoids the influence of attack traffic normal stream amount.It below will be to specified
The mode of processor verification blacklist illustrates.
In one embodiment, can be more than the source IP address of predetermined threshold value by the number of the connection in unfinished state
It is added in source IP address blacklist, and carries out hardware configuration, so that is added to the source IP address in source IP address blacklist
The SYN messages of transmission are received by the given processor of fire wall;And it is more than by the number of the connection in unfinished state
The purpose IP address of predetermined threshold value and corresponding source IP address are added in purpose IP address blacklist, and carry out hardware configuration,
It is connect by given processor so as to call request and establish the SYN messages connected with the purpose IP address in purpose IP address blacklist
It receives.So whether the IP address of verification SYN messages can be the source IP that given processor verifies the SYN messages in blacklist
Address whether in source IP address blacklist, and verify the SYN messages purpose IP address and source IP address whether in purpose
In IP address blacklist.
Fire wall can be multi-core firewall, that is, have multiple processors, then any processor is by source IP
When location is added to source IP address blacklist, the filter of hardware can be configured so that be added to the source IP of source IP address blacklist
The message that address is sent can be received by the given processor in multiple processors, then when carrying out attack defending, only this
A given processor can receive the message of the transmission of the source IP address in source IP address blacklist, then naturally also only this refers to
Determine processor to need to inquire source IP address blacklist.Given processor can first judge that the SYN is reported when receiving SYN messages
Whether the source IP address of text is in white list, if it was not then continue to determine whether in source IP address blacklist, if
Words then directly abandon the SYN messages, do not judge Red List further if.
It is confirmed as by the purpose IP address of object of attack and corresponding source IP likewise, purpose IP address blacklist is stored with
Address can equally configure the filter of hardware when IP address is added to purpose IP address blacklist so that for addition
Message to the purpose IP address of purpose IP address blacklist can be received by the given processor in the multiple processors of fire wall,
So when carrying out attack defending, only this given processor can be received for the destination IP in purpose IP address blacklist
The message that address is sent, then naturally also only having this given processor to need to inquire purpose IP address blacklist.Designated treatment
Device can first judge the source IP address of the SYN messages whether in white list when receiving SYN messages, if it was not then after
It is continuous to judge whether purpose IP address appears in purpose IP address blacklist in pairs with source IP address, it is directly lost if if
The SYN messages are abandoned, do not judge Red List further if.
For other processors, since blacklist has carried out hardware configuration, other processors can't receive
It to the SYN messages of IP address in blacklist, therefore is just not necessarily to inquire blacklist, with determining the source IP of the SYN messages received
Location directly carries out further Red List judgement not after white list.
In this way, it can make when by attack, a large amount of attack SYN messages are diverted to specified place
Reason device is handled, and is not influenced the normal operation of other processors, is improved the ability of fire wall defensive attack.
The verification mode of Red List will be illustrated below.
In one embodiment, the processing mode to the SYN messages is determined according to Red List, including:If the source IP address
Not in receiving the Red List of current processor of the SYN messages, which is added to the red name of current processor
Dan Zhong abandons the SYN messages, if the SYN messages are the source IP address send the 2nd to N number of SYN messages, reply mistake
SYN confirmation messages;Wherein, after the SYN confirmation messages for replying mistake, if the connection for receiving source IP address transmission is released
Message to be put, then is clipped to the source IP address in white list from the Red List of current processor, N is the default value more than 2,
If not receiving the Connection Release message of source IP address transmission, do not deal with;If the SYN messages are sent out for the source IP address
The N+1 SYN message sent, then abandon the message, which is clipped to black name from the Red List of current processor
Dan Zhong;If the source IP address is in the Red List of current processor, and the state of the source IP address is attack, then abandons the report
Text.
Red List is per nuclear resource, i.e., each processor has respective Red List, is received for verifying current processor
Whether it is attack to SYN messages, the mode that SYN messages are specifically handled based on Red List is as follows:
1, if the Red List that current processor is inquired according to the source IP address of SYN messages creates not in Red List
One is added in Red List, and first SYN messages directly abandon.
2, for finding Red List the case where, and the 2nd to N (for example setting N=10) a report sent for a source IP address
Text abandons the message and replys the SYN+ACK messages of mistake, waits the Connection Release message that the source IP address to be received is replied (i.e.
Reset messages).If receiving reset messages, which is clipped in white list, follow-up source IP address hair
The message sent can be used as normal discharge to handle.If not receiving reset messages, do not deal with, continues waiting for the source IP address
The next message sent arrives.
3, for finding Red List the case where, and (verified through n times for the N+1 SYN message that a source IP address is sent
Afterwards, which does not reply reset messages, it is believed that the source IP address is attack), then the SYN messages are directly abandoned,
And the source IP address in Red List is clipped in blacklist.
In the above manner, SYN message of the Red List verification source IP address not in white and black list can be utilized
Whether it is attack, to accomplish fully and effectively defensive attack.Meanwhile Red List is the local table per core, can be done in performance
To the linear increase with processor quantity.
In one embodiment, in the case of the source IP address of the SYN messages received is in white list, it will usually just
Three-way handshake session is often carried out, however is still likely to occur the situation of three-way handshake time-out.Therefore, can surpass in white list
When do not complete connection source IP address state be set to it is to be determined.So step S12 may include:If the source IP of the SYN messages
State of the address in white list is to be determined, and the SYN messages are that the source IP address is set to rear first sent to be determined
A SYN messages then abandon the SYN messages;If state of the source IP address of the SYN messages in white list is to be determined, and should
SYN messages are then replied correct SYN and are confirmed not to be that the source IP address is set to the rear first SYN message sent to be determined
Message;If receiving the confirmation message of source IP address transmission in time-out time, Connection Release message is replied, it will be in white list
The state of the source IP address be set to normally, wait for the source IP address to retransmit SYN messages.
That is, for the source IP address in white list, there is three-way handshake and do not complete and delete in time-out time
The case where session tables, it may be possible to, can be into since effective source IP address is sending meaningless SYN scanning attacks
One step the source IP address of such case is verified, it is specific as follows:
1, the source IP address of the situation of connection time-out will is set to state undetermined in white list.
2, when state is that source IP address to be determined sends SYN messages again, first SYN message directly abandons.
3, for the SYN messages subsequently sent, correct SYN+ACK messages are replied.
If 4, receiving the ACK messages of source IP address reply in time-out time, reset messages are replied again, etc.
It waits for that the source IP address retransmits SYN messages, and the source IP address state is set to normally.
It is without any processing if 5, not receiving the ACK messages of source IP address reply in time-out time.For the source
The message for the preceding predetermined number (for example being set as 10) that IP address is sent all does as above processing and (replys correct SYN+ACK
After message, ACK messages are waited for), the ACK messages of source IP address reply are not received by when 10 times or more messages remain unchanged, it can be with
The source IP address is clipped in blacklist, subsequent packet abandons without exception.
In the above manner, can verify with the presence or absence of the source IP address that may be attack in white list, it can be more preferable
The ground SYN messages that receive of processing achieve the purpose that all-around defense is attacked.
In one embodiment, the confirmation message of source IP address transmission and reply can also be received in time-out time
After Connection Release message, for the frequency of abnormity counting of the source IP address plus one, then the frequency of abnormity in the source IP address reaches
When to frequency threshold value, the link information for having replied the SYN messages received after Connection Release message is added in yellow list, and
The source IP address in white list is labeled as yellow list status.Step is 12 to may include:If the source of the SYN messages received
IP address carries the label of yellow list status in white list, then according to the link information of the SYN messages received, looks into
It askes whether in yellow list;If in yellow list, correct SYN confirmation messages are replied, wherein if being received in time-out time
Confirmation message then replys Connection Release message, and the source IP address is waited for retransmit SYN messages, to establish connection;If when time-out
It is interior not receive confirmation message, and do not receive confirmation message after having replied the SYN confirmation messages of preset times, then by the company
It is attack to connect information flag.
For being marked as source IP address to be determined in white list, after SYN+ACK messages are had sent in verification process,
Although having received the ACK messages of source IP address reply, such case is still excessively abnormal, it may be possible to effective
Source IP address sends attack message sometimes, sends normal message sometimes, and therefore, exception can be carried out by a such case often occur
Number adds 1, when frequency of abnormity reaches frequency threshold value (for example being set as 100 times) yellow list can be built:For reset messages
Successful situation adds the link information (i.e. source IP address, purpose IP address, i.e. port numbers) of the SYN messages received in pairs
It is added in yellow list, and the source IP address in white list is labeled as yellow list status.The source of the SYN messages so received
If IP address is in white list and state is yellow list, need further to inquire the SYN messages link information whether
In yellow list, if three-way handshake session is not normally carried out if;If just replying SYN+ACK messages, if receiving this
The ACK messages that source IP address is further replied just send reset messages, wait for SYN messages next time that can normally establish connection,
If the SYN+ACK messages time-out for attempting reply preset times (for example being set as 3 times) does not receive the source IP address and further returns
Multiple ACK messages just abandon the SYN messages, while by the link information in yellow list labeled as attack, subsequent packet is lost without exception
It abandons.In the above manner, can accomplish more comprehensively to defend ssyn attack.
In the embodiment of the present disclosure, since for distributed ssyn attack, majority of case is all that attack source control is a large amount of
Puppet's machine carry out ssyn attack, in this case puppet's machine when attacking, usually in addition to the IP of puppet's machine itself with
Outside, similar source IP address section is besides disguised oneself as to be attacked.For such situation, the disclosure can pass through the side of statistics
Method comes out the source IP address section of attacker.For example, being more than 10,000 times according to the number for initiating SYN messages in Red List
Source IP address, or it is not successfully completed source IP address of the log-on count more than 10,000 times of three-way handshake, it analyses whether to be likely to occur
The network segment, the statistics to reduce the scope can accomplish to understand the possible attack IP address network segment in this way, analyze.About confirmation
IP address section can be that an individual thread for processor is executing, periodically at regular intervals, to the IP address being newly added
Network segment analysis is carried out, to ensure not influence normal SYN Message processings logic because the network segment is confirmed.
In order to preferably illustrate the technical solution of the disclosure, Fig. 2 and Fig. 3 is referred to, Fig. 2 is received with given processor
For process flow after SYN messages, Fig. 3 receives the processing after SYN messages with other processors in addition to given processor
For flow, carried out in such a way that white list, blacklist, Red List and yellow list determine processing SYN messages to possible
Detailed description.As it can be seen that the embodiment of the present disclosure at least has the following technical effects:
1, the attack defense method based on blacklist, white list, Red List, yellow list, can accomplish when encountering attack
The attack that source IP address can be defendd invalid can also defend the effective ssyn attack of source IP address, can functionally accomplish to defend
Various types of attack defendings.
The message of blacklist situation is sent directly to specified place by the 2, method based on software and hardware combining by hardware network interface card
Manage device so that when meeting with big flow attack, most of attack traffic can be split, and only given processor needs to inquire
Blacklist promotes the high-performance of the ability and whole flow of attack defending.
3, effectively ssyn attack type, design this IP address may ensured just per core yellow list for source IP address
Normal flow can be unimpeded, can also defend ssyn attack.
4, entire design scheme fully considers the design of each table under multicore architecture, and red name is inquired under big flow attack
It is singly local tables, the yellow list of inquiry is also local tables, can accomplish when attack traffic is added to reddish yellow list to be nothing in this way
Lock.And it is the global inquiry without lock that most cases, which need white list to be used, blacklist is only given processor inquiry, whole
A process can guarantee that multinuclear performance concurrently can be with linear increase with the increase performance of processor.
Fig. 4 is referred to, same inventive concept is based on, the embodiment of the present disclosure provides a kind of fire wall 300, the fire wall 300
May include:
Non-transitorycomputer readable storage medium 301;
Multiple processors 302, for receiving SYN messages;And when determining that the fire wall is under attack, according to the SYN
The source IP address of message and the white list of structure and other lists, determine the processing mode to the SYN messages;
Wherein, the white list is used to store the source IP address of the successful SYN messages of three-way handshake;Other described list packets
Include for store attack SYN messages IP address blacklist, for verify SYN messages whether be attack message Red List,
And for store it is to be determined whether be attack at least one of the yellow list of link information, the link information includes source IP
Address, purpose IP address and port numbers.
Optionally, the multiple processor 302 includes given processor and other processors in addition to given processor, institute
Given processor is stated to be used for:
The SYN messages are being received, and are verifying the source IP address of the SYN messages not in the white list, described in verification
Whether the IP address of SYN messages is in the blacklist;
If it is determined that the IP address of the SYN messages in the blacklist, abandons the SYN messages;Or, if it is determined that the SYN is reported
The IP address of text is determined according to the Red List for the current processor for receiving the SYN messages to the SYN not in the blacklist
The processing mode of message;
Other described processors are used for:
The SYN messages are being received, and are verifying the source IP address of the SYN messages not in the white list, according to reception
Red List to the current processor of the SYN messages determines the processing mode to the SYN messages.
Optionally, the multiple processor 302 is used for:
If the source IP address of the SYN messages is not in receiving the Red List of current processor of the SYN messages, by the source
IP address is added in the Red List of the current processor, abandons the SYN messages;
If the SYN messages are the source IP address send the 2nd to N number of SYN messages, reply the SYN confirmation messages of mistake;
It wherein,, will if receiving the Connection Release message of source IP address transmission after the SYN confirmation messages for replying mistake
The source IP address is clipped to from the Red List of the current processor in the white list;
If the SYN messages are the N+1 SYN message that the source IP address is sent, the message is abandoned, by the source IP address
It is clipped in the blacklist from the Red List of the current processor.
Optionally, the blacklist includes source IP address blacklist and purpose IP address blacklist, the multiple processor
302 are additionally operable to:
The source IP address for by the number of the connection in unfinished state being more than predetermined threshold value is added to the source IP address
In blacklist, and hardware configuration is carried out, so that the SYN reports that the source IP address being added in the source IP address blacklist is sent
Text is received by the given processor;
It is more than the purpose IP address of predetermined threshold value and corresponding source IP address by the number of the connection in unfinished state
It is added in the blacklist of the destination IP address, and carries out hardware configuration, so as to calls request and the destination IP address blacklist
In purpose IP address establish connection SYN messages received by the given processor;
The given processor is used for:
The source IP address of the SYN messages is verified whether in the source IP address blacklist, and verifies the SYN messages
Whether purpose IP address and source IP address are in the blacklist of the destination IP address.
Optionally, the multiple processor 302 is additionally operable to:
By in the white list, the overtime state for not completing the source IP address connected is set to be determined;
If state of the source IP address of the SYN messages in the white list is to be determined, and the SYN messages are the source IP
Address is set to the rear first SYN message sent to be determined, then abandons the SYN messages;
If state of the source IP address of the SYN messages in the white list is to be determined, and it not is this that the SYN messages, which are,
Source IP address is set to the rear first SYN message sent to be determined, then replys correct SYN confirmation messages;
If receiving the confirmation message of source IP address transmission in time-out time, Connection Release message is replied, it will be described
The state of the source IP address in white list is set to normally, and the source IP address is waited for retransmit SYN messages.
Optionally, the multiple processor 302 is additionally operable to:
After receiving the confirmation message of source IP address transmission in time-out time and replying Connection Release message, for this
The frequency of abnormity of source IP address, which counts, adds one;
When the frequency of abnormity of the source IP address reaches frequency threshold value, it will reply and received after Connection Release message
The link information of SYN messages is added in the yellow list, and the source IP address in the white list is labeled as yellow list
State;
If the source IP address of the SYN messages received carries the label of yellow list status in the white list, then
According to the link information of the SYN messages received, whether inquiry is in the yellow list;
If in the yellow list, correct SYN confirmation messages are replied, wherein if receiving confirmation in time-out time
Message then replys Connection Release message, and the source IP address is waited for retransmit SYN messages, to establish connection;If or, when time-out
It is interior not receive confirmation message, and do not receive confirmation message after having replied the SYN confirmation messages of preset times, then by the company
It is attack to connect information flag.
Fig. 5 is referred to, same inventive concept is based on, the embodiment of the present disclosure provides a kind of SYN Message processings dress of attack protection
400 are set, fire wall is applied to, which may include:
Message receiving module 401, for receiving SYN messages;
Processing module 402, for when determining that the fire wall is under attack, according to the source IP address of the SYN messages and
The white list of structure and other lists determine the processing mode to the SYN messages;
Wherein, the white list is used to store the source IP address of the successful SYN messages of three-way handshake;Other described list packets
Include for store attack SYN messages IP address blacklist, for verify SYN messages whether be attack message Red List,
And for store it is to be determined whether be attack at least one of the yellow list of link information, the link information includes source IP
Address, purpose IP address and port numbers.
In the embodiment that the disclosure is provided, it should be understood that disclosed device and method can pass through others
Mode is realized.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the module or unit,
Only a kind of division of logic function, formula that in actual implementation, there may be another division manner, such as multiple units or component can be with
In conjunction with or be desirably integrated into another system, or some features can be ignored or not executed.
Each function module in each embodiment of the application can be integrated in a processing unit, can also be each
Module physically exists alone, can also be during two or more modules are integrated in one unit.Above-mentioned integrated unit both may be used
It realizes, can also be realized in the form of SFU software functional unit in the form of using hardware.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, it can be stored in a non-transitorycomputer readable storage medium.Based on this understanding, the technical solution of the application
Substantially all or part of the part that contributes to existing technology or the technical solution can be with software product in other words
Form embody, which is stored in a storage medium, including some instructions use so that one
Computer equipment (can be personal computer, server or the network equipment etc.) or processor (processor) execute this Shen
Please each embodiment the method all or part of step.And storage medium above-mentioned includes:USB flash disk, mobile hard disk, ROM
(Read-Only Memory, read-only memory), RAM (Random Access Memory, random access memory), magnetic disc or
The various media that can store program code such as person's CD.
The above, above example are only described in detail to the technical solution to the disclosure, but the above implementation
The explanation of example is merely used to help understand disclosed method and its core concept, should not be construed as the limitation to the disclosure.This
In the technical scope that the disclosure discloses, the change or replacement that can be readily occurred in should all be covered those skilled in the art
Within the protection domain of the disclosure.
Claims (10)
1. a kind of SYN message processing methods of attack protection are applied to fire wall, which is characterized in that the method includes:
Receive SYN messages;
When determining that the fire wall is under attack, according to the white list of the source IP address of the SYN messages and structure and other names
It is single, determine the processing mode to the SYN messages;
Wherein, the white list is used to store the source IP address of the successful SYN messages of three-way handshake;Other described lists include using
In the blacklist of the IP address of storage attack SYN messages, for verifying whether SYN messages are the Red List of attack message and use
In store it is to be determined whether be attack at least one of the yellow list of link information, the link information includes source IP
Location, purpose IP address and port numbers.
2. according to the method described in claim 1, it is characterized in that, the fire wall includes given processor and other processing
Device determines the processing mode to the SYN messages according to the white list of the source IP address of the SYN messages and structure and other lists,
Including:
The SYN messages are received in the given processor, and verify the source IP address of the SYN messages not in the white list
When, the IP address of the SYN messages is verified whether in the blacklist;
If the given processor determines that the IP address of the SYN messages in the blacklist, abandons the SYN messages;If or, institute
It states given processor and determines the IP address of the SYN messages not in the blacklist, determined according to the Red List and the SYN is reported
The processing mode of text;
The SYN messages are received in other described processors, and verify the source IP address of the SYN messages not in the white list
When, the processing mode to the SYN messages is determined according to the Red List.
3. according to the method described in claim 2, it is characterized in that, determining the processing to the SYN messages according to the Red List
Mode, including:
If the source IP address of the SYN messages is not in receiving the Red List of current processor of the SYN messages, by the source IP
Location is added in the Red List of the current processor, abandons the SYN messages;
If the SYN messages are the source IP address send the 2nd to N number of SYN messages, reply the SYN confirmation messages of mistake;Its
In, it, should if receiving the Connection Release message of source IP address transmission after the SYN confirmation messages for replying mistake
Source IP address is clipped to from the Red List of the current processor in the white list;
If the SYN messages are the N+1 SYN message that the source IP address is sent, the message is abandoned, by the source IP address from institute
It states and is clipped in the Red List of current processor in the blacklist.
4. according to the method described in claim 2, it is characterized in that, the blacklist includes source IP address blacklist and destination IP
Address blacklist, the method further include:
The source IP address for by the number of the connection in unfinished state being more than predetermined threshold value is added to the black name of the source IP address
Dan Zhong, and hardware configuration is carried out, so that the SYN messages that the source IP address being added in the source IP address blacklist is sent are equal
It is received by the given processor;
It is more than purpose IP address and the addition of corresponding source IP address of predetermined threshold value by the number of the connection in unfinished state
Into the destination IP address blacklist, and carry out hardware configuration so that call request in the blacklist of the destination IP address
The SYN messages that purpose IP address establishes connection are received by the given processor;
The IP address of the SYN messages is verified whether in the blacklist, including:
The given processor verifies the source IP address of the SYN messages whether in the source IP address blacklist, and verification
Whether the purpose IP address and source IP address of the SYN messages are in the blacklist of the destination IP address.
5. according to the method described in claim 1, it is characterized in that, the method further includes:
By in the white list, the overtime state for not completing the source IP address connected is set to be determined;
According to the white list of the source IP address of the SYN messages and structure and other lists, the processing side to the SYN messages is determined
Formula, including:
If state of the source IP address of the SYN messages in the white list is to be determined, and the SYN messages are the source IP address
It is set to the rear first SYN message sent to be determined, then abandons the SYN messages;
If state of the source IP address of the SYN messages in the white list is to be determined, and it not is the source IP that the SYN messages, which are,
Address is set to the rear first SYN message sent to be determined, then replys correct SYN confirmation messages;
If receiving the confirmation message of source IP address transmission in time-out time, Connection Release message is replied, by the white name
The state of the source IP address in list is set to normally, and the source IP address is waited for retransmit SYN messages.
6. according to the method described in claim 5, it is characterized in that, the method further includes:
After receiving the confirmation message of source IP address transmission in time-out time and replying Connection Release message, for the source IP
The frequency of abnormity of address, which counts, adds one;
When the frequency of abnormity of the source IP address reaches frequency threshold value, the SYN received after Connection Release message will be replied and reported
The link information of text is added in the yellow list, and the source IP address in the white list is labeled as yellow list status;
According to the white list of the source IP address of the SYN messages and structure and other lists, the processing side to the SYN messages is determined
Formula, including:
If the source IP address of the SYN messages received carries the label of yellow list status in the white list, then basis
The link information of the SYN messages received, whether inquiry is in the yellow list;
If in the yellow list, correct SYN confirmation messages are replied, wherein if receiving confirmation message in time-out time,
Connection Release message is then replied, the source IP address is waited for retransmit SYN messages, to establish connection;If or, in time-out time not
Confirmation message is received, and confirmation message is not received after having replied the SYN confirmation messages of preset times, then by the link information
Labeled as attack.
7. a kind of fire wall, which is characterized in that including:
Non-transitorycomputer readable storage medium;
Multiple processors, for receiving SYN messages;And when determining that the fire wall is under attack, according to the SYN messages
The white list of source IP address and structure and other lists determine the processing mode to the SYN messages;
Wherein, the white list is for storing the successful source IP address of three-way handshake;Other described lists include being attacked for storing
Hit IP address blacklist, for verify SYN messages whether be attack message Red List and for store it is to be determined whether be
At least one of yellow list of the link information of attack, the link information include source IP address, purpose IP address and port
Number.
8. fire wall according to claim 7, which is characterized in that the multiple processor includes given processor and other
Processor, the given processor are used for:
The SYN messages are being received, and the source IP address for verifying the SYN messages verifies the SYN reports not in the white list
Whether the IP address of text is in the blacklist;
If it is determined that the IP address of the SYN messages in the blacklist, abandons the SYN messages;Or, if it is determined that the SYN messages
IP address is determined according to the Red List for the current processor for receiving the SYN messages to the SYN messages not in the blacklist
Processing mode;
Other described processors are used for:
The SYN messages are being received, and are verifying the source IP address of the SYN messages not in the white list, according to receiving this
The Red List of the current processor of SYN messages determines the processing mode to the SYN messages.
9. a kind of SYN message process devices of attack protection are applied to fire wall, which is characterized in that including:
Message receiving module, for receiving SYN messages;
Processing module, for when determining that the fire wall is under attack, according to the white of the source IP address of the SYN messages and structure
List and other lists determine the processing mode to the SYN messages;
Wherein, the white list is for storing the successful source IP address of three-way handshake;Other described lists include being attacked for storing
Hit IP address blacklist, for verify SYN messages whether be attack message Red List and for store it is to be determined whether be
At least one of yellow list of the link information of attack, the link information include source IP address, purpose IP address and port
Number.
10. a kind of non-transitorycomputer readable storage medium, which is characterized in that the non-transitory computer-readable storage medium
Matter includes one or more programs, and one or more of programs require the side described in any one of 1 to 6 for perform claim
Method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810308208.8A CN108551446B (en) | 2018-04-08 | 2018-04-08 | Anti-attack SYN message processing method and device, firewall and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810308208.8A CN108551446B (en) | 2018-04-08 | 2018-04-08 | Anti-attack SYN message processing method and device, firewall and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108551446A true CN108551446A (en) | 2018-09-18 |
CN108551446B CN108551446B (en) | 2020-11-27 |
Family
ID=63514233
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810308208.8A Active CN108551446B (en) | 2018-04-08 | 2018-04-08 | Anti-attack SYN message processing method and device, firewall and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108551446B (en) |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110213254A (en) * | 2019-05-27 | 2019-09-06 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and apparatus that Internet protocol IP packet is forged in identification |
CN110912907A (en) * | 2019-11-28 | 2020-03-24 | 杭州迪普科技股份有限公司 | Attack protection method and device in SSL handshake phase |
CN111083154A (en) * | 2019-12-24 | 2020-04-28 | 北京网太科技发展有限公司 | Safety protection method, device and storage medium |
WO2020133603A1 (en) * | 2018-12-27 | 2020-07-02 | 网宿科技股份有限公司 | Dr mode protection method and device |
CN111614629A (en) * | 2020-04-29 | 2020-09-01 | 浙江德迅网络安全技术有限公司 | Dynamic defense system and method for CC attack |
CN111756713A (en) * | 2020-06-15 | 2020-10-09 | Oppo(重庆)智能科技有限公司 | Network attack identification method and device, computer equipment and medium |
CN112311731A (en) * | 2019-07-29 | 2021-02-02 | 联合汽车电子有限公司 | Vehicle-mounted processor, vehicle-mounted controller and communication method |
CN112565309A (en) * | 2021-02-26 | 2021-03-26 | 腾讯科技(深圳)有限公司 | Message processing method, device, equipment and storage medium |
CN112714102A (en) * | 2020-12-02 | 2021-04-27 | 国家计算机网络与信息安全管理中心 | SYN Flood attack defense method under multi-core heterogeneous platform |
CN112769791A (en) * | 2020-12-30 | 2021-05-07 | 北京天融信网络安全技术有限公司 | Network defense method and device |
CN112910831A (en) * | 2019-12-04 | 2021-06-04 | 中兴通讯股份有限公司 | Message matching method and device, firewall equipment and storage medium |
CN113709105A (en) * | 2021-07-20 | 2021-11-26 | 深圳市风云实业有限公司 | SYN Flood attack detection method based on counting type bloom filter |
CN113783857A (en) * | 2021-08-31 | 2021-12-10 | 新华三信息安全技术有限公司 | Anti-attack method, device, equipment and machine readable storage medium |
CN115102781A (en) * | 2022-07-14 | 2022-09-23 | 中国电信股份有限公司 | Network attack processing method, device, electronic equipment and medium |
CN115225368A (en) * | 2022-07-15 | 2022-10-21 | 北京天融信网络安全技术有限公司 | Message processing method and device, electronic equipment and storage medium |
EP4366236A4 (en) * | 2021-10-15 | 2024-05-08 | Huawei Technologies Co., Ltd. | Method and apparatus for identifying source address of message |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103916389A (en) * | 2014-03-19 | 2014-07-09 | 汉柏科技有限公司 | Method for preventing HttpFlood attack and firewall |
WO2016029126A1 (en) * | 2014-08-21 | 2016-02-25 | Verasynth Inc. | Secure integration of web and mobile applications with enterprise application servers |
CN105827646A (en) * | 2016-05-17 | 2016-08-03 | 浙江宇视科技有限公司 | SYN attack protecting method and device |
CN106034056A (en) * | 2015-03-18 | 2016-10-19 | 北京启明星辰信息安全技术有限公司 | Service safety analysis method and system thereof |
CN107864156A (en) * | 2017-12-18 | 2018-03-30 | 东软集团股份有限公司 | Ssyn attack defence method and device, storage medium |
-
2018
- 2018-04-08 CN CN201810308208.8A patent/CN108551446B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103916389A (en) * | 2014-03-19 | 2014-07-09 | 汉柏科技有限公司 | Method for preventing HttpFlood attack and firewall |
WO2016029126A1 (en) * | 2014-08-21 | 2016-02-25 | Verasynth Inc. | Secure integration of web and mobile applications with enterprise application servers |
CN106034056A (en) * | 2015-03-18 | 2016-10-19 | 北京启明星辰信息安全技术有限公司 | Service safety analysis method and system thereof |
CN105827646A (en) * | 2016-05-17 | 2016-08-03 | 浙江宇视科技有限公司 | SYN attack protecting method and device |
CN107864156A (en) * | 2017-12-18 | 2018-03-30 | 东软集团股份有限公司 | Ssyn attack defence method and device, storage medium |
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020133603A1 (en) * | 2018-12-27 | 2020-07-02 | 网宿科技股份有限公司 | Dr mode protection method and device |
CN110213254A (en) * | 2019-05-27 | 2019-09-06 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and apparatus that Internet protocol IP packet is forged in identification |
CN112311731A (en) * | 2019-07-29 | 2021-02-02 | 联合汽车电子有限公司 | Vehicle-mounted processor, vehicle-mounted controller and communication method |
CN110912907B (en) * | 2019-11-28 | 2022-08-26 | 杭州迪普科技股份有限公司 | Attack protection method and device in SSL handshake phase |
CN110912907A (en) * | 2019-11-28 | 2020-03-24 | 杭州迪普科技股份有限公司 | Attack protection method and device in SSL handshake phase |
CN112910831A (en) * | 2019-12-04 | 2021-06-04 | 中兴通讯股份有限公司 | Message matching method and device, firewall equipment and storage medium |
CN111083154A (en) * | 2019-12-24 | 2020-04-28 | 北京网太科技发展有限公司 | Safety protection method, device and storage medium |
CN111614629A (en) * | 2020-04-29 | 2020-09-01 | 浙江德迅网络安全技术有限公司 | Dynamic defense system and method for CC attack |
CN111756713A (en) * | 2020-06-15 | 2020-10-09 | Oppo(重庆)智能科技有限公司 | Network attack identification method and device, computer equipment and medium |
CN111756713B (en) * | 2020-06-15 | 2022-12-27 | Oppo广东移动通信有限公司 | Network attack identification method and device, computer equipment and medium |
CN112714102A (en) * | 2020-12-02 | 2021-04-27 | 国家计算机网络与信息安全管理中心 | SYN Flood attack defense method under multi-core heterogeneous platform |
CN112769791A (en) * | 2020-12-30 | 2021-05-07 | 北京天融信网络安全技术有限公司 | Network defense method and device |
CN112565309B (en) * | 2021-02-26 | 2021-05-14 | 腾讯科技(深圳)有限公司 | Message processing method, device, equipment and storage medium |
CN112565309A (en) * | 2021-02-26 | 2021-03-26 | 腾讯科技(深圳)有限公司 | Message processing method, device, equipment and storage medium |
CN113709105A (en) * | 2021-07-20 | 2021-11-26 | 深圳市风云实业有限公司 | SYN Flood attack detection method based on counting type bloom filter |
CN113709105B (en) * | 2021-07-20 | 2023-08-29 | 深圳市风云实业有限公司 | SYN Flood attack detection method based on counting type bloom filter |
CN113783857A (en) * | 2021-08-31 | 2021-12-10 | 新华三信息安全技术有限公司 | Anti-attack method, device, equipment and machine readable storage medium |
CN113783857B (en) * | 2021-08-31 | 2023-11-07 | 新华三信息安全技术有限公司 | Anti-attack method, device, equipment and machine-readable storage medium |
EP4366236A4 (en) * | 2021-10-15 | 2024-05-08 | Huawei Technologies Co., Ltd. | Method and apparatus for identifying source address of message |
CN115102781A (en) * | 2022-07-14 | 2022-09-23 | 中国电信股份有限公司 | Network attack processing method, device, electronic equipment and medium |
CN115102781B (en) * | 2022-07-14 | 2024-01-09 | 中国电信股份有限公司 | Network attack processing method, device, electronic equipment and medium |
CN115225368A (en) * | 2022-07-15 | 2022-10-21 | 北京天融信网络安全技术有限公司 | Message processing method and device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN108551446B (en) | 2020-11-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108551446A (en) | SYN message processing methods, device, fire wall and the storage medium of attack protection | |
CN110445770B (en) | Network attack source positioning and protecting method, electronic equipment and computer storage medium | |
CN101202742B (en) | Method and system for preventing refusal service attack | |
US9288218B2 (en) | Securing an accessible computer system | |
CN107395632B (en) | SYN Flood protection method, device, cleaning equipment and medium | |
CN100518052C (en) | Method and apparatus for providing node security in a router of a packet network | |
EP2790382A1 (en) | Protection method and device against attacks | |
CN110365658B (en) | Reflection attack protection and flow cleaning method, device, equipment and medium | |
US20140325651A1 (en) | Method of defending against a spoofing attack by using a blocking server | |
CN111212096B (en) | Method, device, storage medium and computer for reducing IDC defense cost | |
CN105812318B (en) | For preventing method, controller and the system of attack in a network | |
CN100420197C (en) | Method for guarding against attack realized for networked devices | |
CN104883360A (en) | ARP spoofing fine-grained detecting method and system | |
CN112039887A (en) | CC attack defense method and device, computer equipment and storage medium | |
CN104901953A (en) | Distributed detection method and system for ARP (Address Resolution Protocol) cheating | |
CN108737344B (en) | Network attack protection method and device | |
CN105939322B (en) | message attack protection method and device | |
CN111935108B (en) | Cloud data security access control method and device, electronic device and storage medium | |
CN107454065B (en) | Method and device for protecting UDP Flood attack | |
CN108667829A (en) | A kind of means of defence of network attack, device and storage medium | |
WO2019096104A1 (en) | Attack prevention | |
CN109347810A (en) | A kind of method and apparatus handling message | |
CN109005164A (en) | A kind of network system, equipment, network data exchange method and storage medium | |
JP2019152912A (en) | Unauthorized communication handling system and method | |
CN111901284B (en) | Flow control method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |