CN108551446B - Anti-attack SYN message processing method and device, firewall and storage medium - Google Patents
Anti-attack SYN message processing method and device, firewall and storage medium Download PDFInfo
- Publication number
- CN108551446B CN108551446B CN201810308208.8A CN201810308208A CN108551446B CN 108551446 B CN108551446 B CN 108551446B CN 201810308208 A CN201810308208 A CN 201810308208A CN 108551446 B CN108551446 B CN 108551446B
- Authority
- CN
- China
- Prior art keywords
- address
- source
- message
- syn
- syn message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure relates to a SYN message processing method and device for equipment anti-attack, a firewall and a storage medium, and improves the performance of the firewall for defending SYN Flood attack. The method comprises the following steps: receiving a SYN message; when the firewall is determined to be attacked, determining a processing mode of the SYN message according to the source IP address of the SYN message and the constructed white list and other lists; the white list is used for storing the source IP address of successful three-way handshake; the other lists include at least one of a blacklist used for storing attack IP addresses, a red list used for verifying whether the SYN message is an attack message, and a yellow list used for storing connection information to be determined whether the SYN message is an attack, wherein the connection information includes a source IP address, a destination IP address and a port number.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to an anti-attack SYN packet processing method and apparatus, a firewall, and a storage medium.
Background
SYN Flood attacks are one of the most widely known attack methods of DoS (Denial of Service) and DDoS (Distributed Denial of Service). The principle of the method is that a large amount of SYN (handshake signals used when TCP/IP establishes connection) three-way handshake first packets (SYN messages) of TCP connection are sent in a fake IP or IP address range by utilizing the design defects of TCP (transmission control protocol), so that an attacked party needs to consume a memory to keep the connection state as half connection until overtime, and normal other services cannot be processed, and the purpose of attacking is achieved.
At present, the following methods are mainly used for defending against the SYN Flood attack: first, the monitored release of invalid connections requires monitoring connections that are in an incomplete state and tearing down those connections when a certain threshold is reached, thereby releasing resources. However, this approach is equally good for all connections, and since the number of half-connections resulting from a SYN Flood attack is large, normal connection requests may be overwhelmed and released during the attack. Secondly, because server resources are consumed, the server immediately allocates the TCB as soon as the SYN data packet arrives, thereby occupying resources, and because the SYN Flood hardly establishes a normal connection, the TCB is reallocated after the normal connection is established, thereby effectively reducing the consumption of server resources. However, this approach only reduces the burden on the server relatively, but may still result in the firewall's own resources being exhausted.
Therefore, no better method for preventing SYN Flood attack exists at present.
Disclosure of Invention
The invention aims to provide a SYN message processing method and device for preventing equipment from being attacked, a firewall and a storage medium, and the performance of the firewall for defending SYN Flood attacks is improved.
According to a first aspect of the embodiments of the present invention, there is provided a SYN packet processing method for preventing attacks, applied to a firewall, including:
receiving a SYN message;
when the firewall is determined to be attacked, determining a processing mode of the SYN message according to the source IP address of the SYN message and the constructed white list and other lists;
the white list is used for storing the source IP address of successful three-way handshake; the other lists include at least one of a blacklist used for storing attack IP addresses, a red list used for verifying whether the SYN message is an attack message, and a yellow list used for storing connection information to be determined whether the SYN message is an attack, wherein the connection information includes a source IP address, a destination IP address and a port number.
Optionally, the firewall includes a designated processor and other processors, and determines a processing mode for the SYN packet according to the source IP address of the SYN packet and the constructed white list and other lists, including:
when the appointed processor receives the SYN message and verifies that the source IP address of the SYN message is not in the white list, verifying whether the IP address of the SYN message is in the black list or not;
if the appointed processor determines that the IP address of the SYN message is in the blacklist, discarding the SYN message; or, if the specified processor determines that the IP address of the SYN message is not in the blacklist, determining a processing mode of the SYN message according to the red list;
and when the other processors receive the SYN message and verify that the source IP address of the SYN message is not in the white list, determining a processing mode of the SYN message according to the red list.
Optionally, determining a processing mode of the SYN packet according to the red list includes:
if the source IP address of the SYN message is not in the red list of the current processor receiving the SYN message, adding the source IP address into the red list of the current processor, and discarding the SYN message;
if the SYN message is the 2 nd to N (fourth) SYN messages sent by the source IP address, replying an error SYN confirmation message; after replying an incorrect SYN confirmation message, if a connection release message sent by the source IP address is received, cutting the source IP address from a red list of the current processor into a white list;
if the SYN message is the N +1 SYN message sent by the source IP address, the message is discarded, and the source IP address is cut from the red list of the current processor into the black list.
Optionally, the blacklist includes a source IP address blacklist and a destination IP address blacklist, and the method further includes:
adding the source IP addresses of which the number of the connections in the uncompleted state exceeds a preset threshold value into the source IP address blacklist, and performing hardware configuration so that SYN messages sent by the source IP addresses added into the source IP address blacklist are received by the appointed processor;
adding the destination IP addresses of which the number of the connections in an uncompleted state exceeds a preset threshold value and the corresponding source IP addresses into the destination IP address blacklist, and performing hardware configuration so as to enable SYN messages requesting connection establishment with the destination IP addresses in the destination IP address blacklist to be received by the appointed processor;
verifying whether the IP address of the SYN message is in the blacklist, including:
the designated processor verifies whether the source IP address of the SYN message is in the source IP address blacklist, and verifies whether the destination IP address and the source IP address of the SYN message are in the destination IP address blacklist.
Optionally, the method further includes:
setting the state of the source IP address which is not connected within time in the white list as to-be-determined;
determining a processing mode of the SYN message according to the source IP address of the SYN message and the constructed white list and other lists, wherein the processing mode comprises the following steps:
if the source IP address of the SYN message is in the state of waiting to be determined in the white list and the SYN message is the first SYN message sent after the source IP address is set to be determined, discarding the SYN message;
if the source IP address of the SYN message is in the state of waiting to be determined in the white list and the SYN message is not the first SYN message sent after the source IP address is set to be determined, replying a correct SYN confirmation message;
if the confirmation message sent by the source IP address is received within the overtime, replying a connection release message, setting the state of the source IP address in the white list to be normal, and waiting for the source IP address to send the SYN message again.
Optionally, the method further includes:
after receiving the confirmation message sent by the source IP address within the overtime and replying the connection release message, counting the abnormal times of the source IP address by one;
when the abnormal times of the source IP address reach a time threshold value, adding the connection information of the SYN message received after replying the connection release message into the yellow list, and marking the source IP address in the white list into a yellow list state;
determining a processing mode of the SYN message according to the source IP address of the SYN message and the constructed white list and other lists, wherein the processing mode comprises the following steps:
if the source IP address of the received SYN message is in the white list and carries a yellow list state mark, inquiring whether the source IP address is in the yellow list or not according to the connection information of the received SYN message;
if the source IP address is in the yellow list, replying a correct SYN confirmation message, wherein if the confirmation message is received within the overtime, replying a connection release message, and waiting for the source IP address to resend the SYN message so as to establish connection; or, if the confirmation message is not received within the timeout time and the confirmation message is not received after the SYN confirmation messages of the preset times are replied, marking the connection information as the attack.
According to a second aspect of the embodiments of the present invention, there is provided an anti-attack SYN packet processing apparatus, applied to a firewall, including:
a message receiving module for receiving SYN message;
the processing module is used for determining a processing mode of the SYN message according to the source IP address of the SYN message, the constructed white list and other lists when the firewall is determined to be attacked;
the white list is used for storing the source IP address of successful three-way handshake; the other lists include at least one of a blacklist used for storing attack IP addresses, a red list used for verifying whether the SYN message is an attack message, and a yellow list used for storing connection information to be determined whether the SYN message is an attack, wherein the connection information includes a source IP address, a destination IP address and a port number.
According to a third aspect of the embodiments of the present invention, there is provided a firewall, including:
a non-transitory computer-readable storage medium;
a plurality of processors for receiving SYN messages; and when the firewall is determined to be attacked, determining a processing mode of the SYN message according to the source IP address of the SYN message and the constructed white list and other lists;
the white list is used for storing the source IP address of successful three-way handshake; the other lists include at least one of a blacklist used for storing attack IP addresses, a red list used for verifying whether the SYN message is an attack message, and a yellow list used for storing connection information to be determined whether the SYN message is an attack, wherein the connection information includes a source IP address, a destination IP address and a port number.
Optionally, the plurality of processors includes a designated processor and other processors, the designated processor is configured to:
when the SYN message is received and the source IP address of the SYN message is verified not to be in the white list, verifying whether the IP address of the SYN message is in the black list or not;
if the IP address of the SYN message is determined to be in the blacklist, discarding the SYN message; or, if the IP address of the SYN message is determined not to be in the blacklist, determining a processing mode of the SYN message according to the red list of the current processor receiving the SYN message;
the other processor is to:
and when the SYN message is received and the source IP address of the SYN message is verified not to be in the white list, determining a processing mode of the SYN message according to the red list of the current processor receiving the SYN message.
According to a fourth aspect of embodiments of the present invention, there is provided a computer readable storage medium, including one or more programs therein for performing the method of any of the first aspects.
In the embodiment of the present disclosure, a plurality of lists may be constructed: a white list for storing the source IP address of successful three-way handshake, a black list for storing attack IP address, a red list for verifying whether SYN message is attack message, and a yellow list for storing the connection information to be determined whether attack. When the firewall receives the SYN message, as a transit device between the terminal and the server, if the firewall is determined to be attacked, how to process the SYN message can be determined according to the source IP address of the SYN message, the constructed white list and other lists. By the mode, whether the received SYN message is an attack message or not can be comprehensively and comprehensively judged by utilizing a plurality of lists with various functions, the SYN Flood attack can be well defended, and the performance of the firewall for defending the SYN Flood attack is improved.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:
FIG. 1 is a flow diagram illustrating a method of anti-attack SYN message processing in accordance with an illustrative embodiment;
FIG. 2 is a flow diagram illustrating a method of SYN message processing by a given processor in accordance with an illustrative embodiment;
FIG. 3 is a flow diagram illustrating a SYN message processing method by a non-designated processor in accordance with an illustrative embodiment;
FIG. 4 is a block diagram illustrating a firewall in accordance with an example embodiment;
fig. 5 is a block diagram illustrating a SYN message processing apparatus for protecting against attacks, according to an example embodiment.
Detailed Description
The following detailed description of specific embodiments of the present disclosure is provided in connection with the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present disclosure, are given by way of illustration and explanation only, not limitation.
An implementation background of the present disclosure will be described first. The firewall is a relay device arranged between the terminal and the server, can be a firewall device integrated at the server end, and can also be a firewall device independent of the server and the terminal. The connection between the terminal and the server needs to be established after the firewall verifies the reliability. Taking the establishment of a TCP (Transmission Control Protocol) connection as an example, a terminal needs to establish a connection with a server by performing three-way handshake with a firewall, and after the three-way handshake succeeds, the terminal can establish a connection with the server through the firewall. Under normal conditions, the process of three-way handshake between the terminal and the firewall is as follows: and the terminal sends a SYN packet to the firewall, the firewall replies a SYN confirmation packet (namely SYN + ACK packet) based on the received SYN message, the terminal sends the confirmation packet (namely ACK packet) again after receiving the SYN + ACK packet, and the three-way handshake is completed.
For the firewall, each time a session of the three-way handshake is performed, a session control table (i.e., a session table) is established, and the session table is stored, so that a subsequent packet transfers data by using the established session table. The firewall also configures an expiration time for each session table, and deletes the session table after the expiration time is up.
Based on the above implementation background, fig. 1 is a flowchart illustrating an anti-attack SYN packet processing method according to an exemplary embodiment, and as shown in fig. 1, the anti-attack SYN packet processing method may be applied in a firewall, and includes the following steps.
Step S11: and receiving a SYN message.
Step S12: and determining a processing mode of the SYN message according to the source IP address of the SYN message and the constructed white list and other lists.
In the embodiment of the present disclosure, in order to verify whether the received SYN packet used for establishing the TCP connection is a possible attack packet, a plurality of lists may be constructed: a white list for storing the source IP address of successful three-way handshake, a black list for storing attack IP address, a red list for verifying whether SYN message is attack message, and a yellow list for storing the connection information to be determined whether attack.
In step S11, the SYN message received by the firewall may be a SYN message sent by the terminal to request to establish a connection with the server, or may also be a SYN message sent by the server to request to establish a connection with the terminal, which is not limited in this disclosure. The SYN packet carries connection information, which may include information such as a source IP address, a destination IP address, and a port number.
After the firewall receives the SYN message, if the firewall is currently in an attack state, how to process the SYN message is determined according to the source IP address of the received SYN message, the comprehensive white list and other lists. The embodiment of the disclosure can comprehensively and comprehensively judge whether the received SYN message is an attack message by utilizing a plurality of lists with various functions, thereby determining how to better process the SYN message, being beneficial to defending against the SYN Flood attack and improving the performance of a firewall for defending against the SYN Flood attack.
The embodiments of the disclosure are not limited to determining whether a firewall is attacked, and possible ways are described below.
In an embodiment, the alarm mode may be set, and then, every preset time interval, whether the number of connections currently in an incomplete state of the firewall reaches a preset number threshold may be detected, and when the number of connections currently in an incomplete state reaches the preset number threshold, it is determined to enter the alarm mode, and at this time, it is determined that the firewall is attacked. Of course, after entering the alarm mode, if the detected number does not reach the preset number threshold, the alarm mode may be exited.
The incomplete state connection is a connection in which three-way handshake is incomplete, such as a SYN state waiting to receive a SYN + ACK packet after forwarding a SYN packet, and a SYN + RECV state waiting to receive an ACK packet after replying a SYN + ACK packet for the received SYN packet. When the number of such incomplete connections is too large, it may be considered abnormal (e.g., under SYN Flood attack), and therefore, a threshold may be set to periodically determine whether the firewall is under attack, and when it is determined that the firewall is under attack, the alarm mode may be entered.
For example, setting a preset number threshold to be 1 ten thousand, determining whether the number of connections of the firewall currently in an incomplete state reaches 1 ten thousand every 1 minute (that is, a preset time length), if so, indicating that the firewall is possibly attacked, entering an alarm mode, and then determining how to process the received message through a plurality of constructed lists each time a SYN is received. After entering the alarm mode, if the number of connections detected that the firewall is in an incomplete state is less than 1 ten thousand, the alarm mode can be exited.
Or, for example, the determination of whether to enter the alert mode may also be made by way of a proportional threshold. For example, every 1 minute, it is determined whether the ratio of the number of connections currently in an unfinished state of the firewall to all session connections reaches a ratio threshold, and if so, the firewall enters an alarm mode, otherwise, the firewall does not enter the alarm mode or exits the alarm mode.
In the embodiment of the present disclosure, when the firewall does not enter the alarm mode, it may be determined that the firewall is not currently attacked, and then the received SYN connection may not be subjected to the judgment of the multiple list, but may be subjected to three-way handshake normally, and after the firewall enters the alarm mode, the attack is defended through the judgment of the multiple list. By the method, the data processing speed of the firewall under normal conditions can be improved, and better defense can be performed under the condition of attack.
Of course, the firewall may put the source IP address with successful three-way handshake into the white list and the IP address determined as attack into the black list, so as to perform attack defense more accurately according to each list in the alarm mode, regardless of whether in the alarm mode, the specific processing method is as follows:
1. and (3) constructing a white list: after a session table is created based on the SYN message every time, if the three-way handshake is successful, whether the white list has the source IP address of the SYN message is inquired, if not, the source IP address of the SYN message is added into the white list, and if so, the white list is not processed. The white list in the embodiment of the disclosure is a global table, and each processor can inquire and modify the white list without lock under the condition that the firewall has a plurality of processors, so that the processing speed is high.
2. And (3) construction of a blacklist: since SYN attacks in general there are two cases: the host computer actively attacks multiple servers without destination, or multiple host computers attack the same target server with destination. The blacklist may thus include a blacklist of source IP addresses identified as being attacked and a blacklist of destination IP addresses identified as being attacked.
For the same source IP address, if the number of connections in an uncompleted state reaches a preset threshold, it can be considered that the same source IP address is in SYN scanning, and then the source IP address can be added to a source IP address blacklist. In order to determine the attack source more accurately, the preset threshold value may be set to a higher value, such as 1 ten thousand, etc. In the case where the firewall has a plurality of processors, each processor may sort the source IP addresses of connections that are in an incomplete state and are overtime by the number of times, thereby finding out a source IP address whose number of times exceeds a preset threshold, determining the source IP address as an attack source IP address, and adding the attack source IP address to the source IP address blacklist.
For the same destination IP address, if the number of connections in an incomplete state reaches a preset threshold, it may be considered that the same destination server is attacked by a large number of hosts, and then the destination IP address and the corresponding source IP address may be added to a destination IP address blacklist (it should be understood that, in the destination IP address blacklist, the destination IP address and the source IP address are stored in pairs, and then if the destination IP address and the source IP address of a certain SYN packet are matched with the same pair of destination IP address and source IP address in the blacklist, it may be determined as an attack). In order to determine the attack source more accurately, the preset threshold value may be set to a higher value, such as 1 ten thousand, etc. In the case where the firewall has a plurality of processors, each processor may sort the destination IP addresses of connections that are in an incomplete state and are overtime by the number of times, thereby finding out the destination IP addresses whose number of times exceeds a preset threshold value, and adding the destination IP addresses to the destination IP address blacklist.
Since all the attack IP addresses are stored in the blacklist, in order to achieve the purpose of shunting the attacks, in the embodiment of the present disclosure, the blacklist may be queried through a set designated processor, that is, the firewall may include the designated processor and other processors, and then when the designated processor receives the SYN message and verifies that the source IP address of the SYN message is not in the white list, it may be verified whether the IP address of the SYN message is in the blacklist, and if the designated processor determines that the IP address of the SYN message is in the blacklist, the SYN message is discarded; if the appointed processor determines that the IP address of the SYN message is not in the blacklist, the processing mode of the SYN message is further determined according to the red list. And when other processors receive the SYN message and verify that the source IP address of the SYN message is not in the white list, determining a processing mode of the SYN message according to the red list.
That is, only the designated processor will verify the blacklist, and other processors do not need to verify the blacklist, so that the purpose of shunting most attacks to the designated processor is achieved, and the influence of attack traffic on normal traffic is avoided. The manner in which a given processor verifies the blacklist will be described below.
In one embodiment, the source IP addresses whose number of connections in an incomplete state exceeds a preset threshold may be added to a source IP address blacklist, and hardware configuration is performed, so that SYN messages sent by the source IP addresses added to the source IP address blacklist are all received by a specified processor of a firewall; and adding the destination IP addresses of which the number of the connections in the uncompleted state exceeds a preset threshold value and the corresponding source IP addresses into a destination IP address blacklist, and performing hardware configuration so as to enable SYN messages requesting connection establishment with the destination IP addresses in the destination IP address blacklist to be received by a designated processor. Then verifying that the IP address of the SYN message is in the blacklist may be for the given processor to verify that the source IP address of the SYN message is in the source IP address blacklist and that the destination IP address and the source IP address of the SYN message are in the destination IP address blacklist.
The firewall may be a multi-core firewall, that is, the firewall has multiple processors, and when any processor adds a source IP address to a source IP address blacklist, a hardware filter may be configured, so that a message sent by the source IP address added to the source IP address blacklist is received by a specified processor in the multiple processors, and when attack defense is performed, only the specified processor receives the message sent by the source IP address in the source IP address blacklist, and naturally, only the specified processor needs to query the source IP address blacklist. When receiving the SYN message, the designated processor may first determine whether the source IP address of the SYN message is in the white list, if not, continue to determine whether the source IP address is in the black list, if so, directly discard the SYN message, and if not, further determine the red list.
Similarly, the destination IP address blacklist stores the destination IP address and the corresponding source IP address that are determined as the attacked object, and when the IP address is added to the destination IP address blacklist, a hardware filter may be configured in the same way, so that all messages for the destination IP address added to the destination IP address blacklist are received by a designated processor in a plurality of processors of the firewall. When receiving the SYN message, the designated processor may first determine whether the source IP address of the SYN message is in the white list, if not, continue to determine whether the destination IP address and the source IP address appear in the destination IP address black list in pairs, if so, directly discard the SYN message, and if not, further determine the red list.
For other processors, because the blacklist is configured by hardware, and other processors do not receive the SYN message of the IP address in the blacklist, the blacklist does not need to be queried, and after determining that the source IP address of the received SYN message is not in the white list, further red list judgment is directly performed.
By the mode, when suffering from an attack, a large number of attack SYN messages can be shunted to the appointed processor for processing, the normal operation of other processors is not influenced, and the capability of defending the attack by the firewall is improved.
The way of verifying the red list will be explained below.
In one embodiment, determining a processing manner for the SYN packet according to the red list includes: if the source IP address is not in the red list of the current processor receiving the SYN message, adding the source IP address into the red list of the current processor, discarding the SYN message, and if the SYN message is the (2) th to (N) th SYN messages sent by the source IP address, replying an erroneous SYN confirmation message; after replying an incorrect SYN confirmation message, if a connection release message sent by the source IP address is received, cutting the source IP address from a red list of a current processor into a white list, wherein N is a preset numerical value larger than 2, and if the connection release message sent by the source IP address is not received, not processing; if the SYN message is the N +1 SYN message sent by the source IP address, discarding the message, and cutting the source IP address from the red list of the current processor into a black list; if the source IP address is in the red list of the current processor and the state of the source IP address is attack, the message is discarded.
The red list is a resource of each core, that is, each processor has a respective red list, and is used to verify whether the SYN packet received by the current processor is an attack, and a specific method for processing the SYN packet based on the red list is as follows:
1. inquiring a red list of the current processor according to the source IP address of the SYN message, if the SYN message is not in the red list, newly building a new item to be added into the red list, and directly discarding the first SYN message.
2. For the case of checking the red list, and 2 nd to N (for example, setting N to 10) messages sent for a source IP address, discard the messages and reply to an incorrect SYN + ACK message, and wait for receiving a connection release message (i.e., reset message) replied by the source IP address. If the reset message is received, the source IP address is cut into a white list, and the subsequent message sent by the source IP address can be used as normal flow to be processed. If the reset message is not received, the processing is not carried out, and the next message sent by the source IP address is continuously waited for.
3. For the case of checking the red list and the N +1 th SYN packet sent by a source IP address (i.e. after N times of verification, no reset packet is replied by the source IP address, and the source IP address can be considered as an attack), the SYN packet is directly discarded, and the source IP address in the red list is cut into the black list.
Through the mode, whether the SYN message of which the source IP address is not in the white list and the black list is attacked or not can be verified by utilizing the red list, so that the attack can be comprehensively and effectively defended. Meanwhile, the red list is a local table of each core, and the performance can be linearly increased along with the number of processors.
In one embodiment, the three-way handshake session is normally performed for the case where the source IP address of the received SYN message is in the white list, but a three-way handshake timeout may still occur. Therefore, the state of the source IP address in the white list for which the connection is not completed due to timeout may be set to be determined. Then step S12 may include: if the source IP address of the SYN message is in a white list to be determined and the SYN message is the first SYN message sent after the source IP address is set to be determined, discarding the SYN message; if the source IP address of the SYN message is in the state of waiting to be determined in the white list and the SYN message is not the first SYN message sent after the source IP address is set to be determined, replying a correct SYN confirmation message; if the confirmation message sent by the source IP address is received within the overtime, replying a connection release message, setting the state of the source IP address in the white list to be normal, and waiting for the source IP address to send the SYN message again.
That is, for the source IP address in the white list, a case occurs in which the three-way handshake is not completed within the timeout time and the session table is deleted, which may be because a valid source IP address is sending a meaningless SYN scan attack, and therefore the source IP address in this case may be further verified, specifically as follows:
1. and setting the source IP address with connection overtime condition in the white list to be in a pending state.
2. When the state is that the source IP address to be determined sends the SYN message again, the first SYN message is directly discarded.
3. And replying a correct SYN + ACK message for a SYN message sent subsequently.
4. If the ACK message replied by the source IP address is received within the overtime, replying a reset message again, waiting for the source IP address to resend the SYN message, and setting the state of the source IP address to be normal.
5. If the ACK message replied by the source IP address is not received within the overtime time, no processing is carried out. The messages with the preset number (for example, 10 messages) sent by the source IP address are processed as above (i.e., after replying the correct SYN + ACK message, the ACK message is waited for), when the ACK message replied by the source IP address is still not received by the messages for more than 10 times, the source IP address can be cut into a blacklist, and the subsequent messages are discarded uniformly.
Through the method, whether the source IP address possibly attacked exists in the white list or not can be verified, and the received SYN message can be better processed to achieve the purpose of comprehensively defending against the attack.
In an embodiment, after receiving the acknowledgement message sent by the source IP address within the timeout period and replying the connection release message, the count of the abnormal times of the source IP address is incremented by one, and then when the abnormal times of the source IP address reaches the time threshold, the connection information of the SYN message received after replying the connection release message is added to the yellow list, and the source IP address in the white list is marked as the yellow list state. Step 12 may include: if the source IP address of the received SYN message is in the white list and carries a yellow list state mark, inquiring whether the source IP address is in the yellow list or not according to the connection information of the received SYN message; if the source IP address is in the yellow list, replying a correct SYN confirmation message, wherein if the confirmation message is received within the overtime, replying a connection release message, and waiting for the source IP address to resend the SYN message so as to establish connection; and if the confirmation message is not received within the overtime time and the confirmation message is not received after the SYN confirmation messages of the preset times are replied, marking the connection information as attack.
For a source IP address marked to be determined in a white list, after sending a SYN + ACK packet in a verification process, although an ACK packet replied by the source IP address is received, the situation is still abnormal, and a valid source IP address may sometimes send an attack packet, and sometimes send a normal packet, so that the number of abnormal times may be increased by 1 every time the case occurs, and when the number of abnormal times reaches a number threshold (for example, set to 100 times), a yellow list may be constructed: for the case that the reset message is successful, adding the connection information (i.e. the source IP address, the destination IP address, i.e. the port number) of the received SYN message to the yellow list in pairs, and marking the source IP address in the white list as the yellow list state. If the source IP address of the received SYN message is in the white list and the state is the yellow list, further inquiring whether the connection information of the SYN message is in the yellow list, and if not, normally performing three-way handshake session; if the SYN + ACK message is replied, if an ACK message replied further by the source IP address is received, a reset message is sent, the connection can be normally established by waiting for the next SYN message, if the SYN + ACK message which attempts to reply for a preset number of times (for example, set to be 3 times) is overtime and the ACK message replied further by the source IP address is not received, the SYN message is discarded, meanwhile, the connection information in the yellow list is marked as attack, and the subsequent messages are discarded uniformly. By the mode, the SYN attack can be defended more comprehensively.
In the embodiment of the present disclosure, for distributed SYN attacks, most cases are that an attack source controls a large number of puppet machines to perform SYN attacks, and when performing an attack on such a puppet machine, the puppet machine often pretends to be a similar source IP address segment in addition to the IP of the puppet machine. For the situation, the method can count the source IP address field of the attacker through a statistical method. For example, according to the source IP address whose number of times the SYN packet is initiated in the red list is greater than 1 ten thousand, or the source IP address whose number of times the three-way handshake session is unsuccessfully completed is greater than 1 ten thousand, whether a network segment is likely to appear is analyzed, and statistics of the range is reduced, so that the network segment of the likely attack IP address can be known and analyzed. Regarding the confirmed IP address segment, it may be that a single thread of the processor is executing, and segment analysis is performed on the newly added IP address at regular intervals, so as to ensure that the normal SYN message processing logic is not affected by confirming the segment.
To better describe the technical solution of the present disclosure, please refer to fig. 2 and fig. 3, fig. 2 illustrates an example of a processing flow after a designated processor receives a SYN message, and fig. 3 illustrates an example of a processing flow after other processors except the designated processor receive the SYN message, which describes in detail a possible way of determining and processing the SYN message through a white list, a black list, a red list and a yellow list. It can be seen that the embodiments of the present disclosure have at least the following technical effects:
1. the attack defense method based on the blacklist, the white list, the red list and the yellow list can defend attack with invalid source IP address and SYN attack with valid source IP address when encountering attack, and can defend various types of attack defense functionally.
2. Based on a method combining software and hardware, the message under the condition of the blacklist is directly sent to the designated processor through the hardware network card, so that when a large flow attack is encountered, most of attack flows can be shunted, only the designated processor needs to inquire the blacklist, and the attack defense capability and the high performance of the whole flow are improved.
3. For the SYN attack type which can be effective for the source IP address, a yellow list of each core is designed, the normal flow of the IP address can be ensured to be smooth, and the SYN attack can be defended.
4. The whole design scheme fully considers the design of each table under the multi-core architecture, the red list is a local table under the attack of large flow, and the yellow list is also a local table, so that the lock is not generated when the attack flow is added to the red and yellow lists. And in most cases, the white list required to be used is a global lock-free query, the black list is a query only by a specified processor, and the whole process can ensure the multi-core performance and the performance can linearly increase along with the increase of the processors.
Referring to fig. 4, based on the same inventive concept, an embodiment of the disclosure provides a firewall 300, where the firewall 300 may include:
a non-transitory computer-readable storage medium 301;
a plurality of processors 302 for receiving SYN messages; and when the firewall is determined to be attacked, determining a processing mode of the SYN message according to the source IP address of the SYN message and the constructed white list and other lists;
the white list is used for storing the source IP address of the SYN message with successful three-way handshake; the other lists comprise at least one of a blacklist used for storing an IP address of the attack SYN message, a red list used for verifying whether the SYN message is the attack message or not and a yellow list used for storing connection information to be determined whether the SYN message is the attack or not, and the connection information comprises a source IP address, a destination IP address and a port number.
Optionally, the processors 302 include a designated processor and other processors except the designated processor, and the designated processor is configured to:
when the SYN message is received and the source IP address of the SYN message is verified not to be in the white list, verifying whether the IP address of the SYN message is in the black list or not;
if the IP address of the SYN message is determined to be in the blacklist, discarding the SYN message; or, if the IP address of the SYN message is determined not to be in the blacklist, determining a processing mode of the SYN message according to the red list of the current processor receiving the SYN message;
the other processor is to:
and when the SYN message is received and the source IP address of the SYN message is verified not to be in the white list, determining a processing mode of the SYN message according to the red list of the current processor receiving the SYN message.
Optionally, the processors 302 are configured to:
if the source IP address of the SYN message is not in the red list of the current processor receiving the SYN message, adding the source IP address into the red list of the current processor, and discarding the SYN message;
if the SYN message is the 2 nd to N (fourth) SYN messages sent by the source IP address, replying an error SYN confirmation message; after replying an incorrect SYN confirmation message, if a connection release message sent by the source IP address is received, cutting the source IP address from a red list of the current processor into a white list;
if the SYN message is the N +1 SYN message sent by the source IP address, the message is discarded, and the source IP address is cut from the red list of the current processor into the black list.
Optionally, the blacklist includes a source IP address blacklist and a destination IP address blacklist, and the plurality of processors 302 are further configured to:
adding the source IP addresses of which the number of the connections in the uncompleted state exceeds a preset threshold value into the source IP address blacklist, and performing hardware configuration so that SYN messages sent by the source IP addresses added into the source IP address blacklist are received by the appointed processor;
adding the destination IP addresses of which the number of the connections in an uncompleted state exceeds a preset threshold value and the corresponding source IP addresses into the destination IP address blacklist, and performing hardware configuration so as to enable SYN messages requesting connection establishment with the destination IP addresses in the destination IP address blacklist to be received by the appointed processor;
the designated processor is to:
and verifying whether the source IP address of the SYN message is in the source IP address blacklist or not, and verifying whether the destination IP address and the source IP address of the SYN message are in the destination IP address blacklist or not.
Optionally, the processors 302 are further configured to:
setting the state of the source IP address which is not connected within time in the white list as to-be-determined;
if the source IP address of the SYN message is in the state of waiting to be determined in the white list and the SYN message is the first SYN message sent after the source IP address is set to be determined, discarding the SYN message;
if the source IP address of the SYN message is in the state of waiting to be determined in the white list and the SYN message is not the first SYN message sent after the source IP address is set to be determined, replying a correct SYN confirmation message;
if the confirmation message sent by the source IP address is received within the overtime, replying a connection release message, setting the state of the source IP address in the white list to be normal, and waiting for the source IP address to send the SYN message again.
Optionally, the processors 302 are further configured to:
after receiving the confirmation message sent by the source IP address within the overtime and replying the connection release message, counting the abnormal times of the source IP address by one;
when the abnormal times of the source IP address reach a time threshold value, adding the connection information of the SYN message received after replying the connection release message into the yellow list, and marking the source IP address in the white list into a yellow list state;
if the source IP address of the received SYN message is in the white list and carries a yellow list state mark, inquiring whether the source IP address is in the yellow list or not according to the connection information of the received SYN message;
if the source IP address is in the yellow list, replying a correct SYN confirmation message, wherein if the confirmation message is received within the overtime, replying a connection release message, and waiting for the source IP address to resend the SYN message so as to establish connection; or, if the confirmation message is not received within the timeout time and the confirmation message is not received after the SYN confirmation messages of the preset times are replied, marking the connection information as the attack.
Referring to fig. 5, based on the same inventive concept, an embodiment of the present disclosure provides an anti-attack SYN packet processing apparatus 400, which is applied to a firewall, where the apparatus 400 may include:
a message receiving module 401, configured to receive a SYN message;
a processing module 402, configured to determine, when it is determined that the firewall is attacked, a processing mode for the SYN packet according to the source IP address of the SYN packet, the constructed white list, and the other lists;
the white list is used for storing the source IP address of the SYN message with successful three-way handshake; the other lists comprise at least one of a blacklist used for storing an IP address of the attack SYN message, a red list used for verifying whether the SYN message is the attack message or not and a yellow list used for storing connection information to be determined whether the SYN message is the attack or not, and the connection information comprises a source IP address, a destination IP address and a port number.
In the embodiments provided in the present disclosure, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed.
The functional modules in the embodiments of the present application may be integrated into one processing unit, or each module may exist alone physically, or two or more modules are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a non-transitory computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, a network device, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a ROM (Read-Only Memory), a RAM (Random Access Memory), a magnetic disk, or an optical disk.
The above embodiments are only used to describe the technical solutions of the present disclosure in detail, but the above embodiments are only used to help understanding the method and the core idea of the present disclosure, and should not be construed as limiting the present disclosure. Those skilled in the art should also appreciate that various modifications and substitutions can be made without departing from the scope of the present disclosure.
Claims (9)
1. A SYN message processing method for preventing attacks is applied to a firewall and is characterized in that the method comprises the following steps:
receiving a SYN message;
when the firewall is determined to be attacked, determining a processing mode of the SYN message according to the source IP address of the SYN message and the constructed white list and other lists;
the white list is used for storing the source IP address of the SYN message with successful three-way handshake; the other lists comprise at least one of a blacklist used for storing an IP address of an attack SYN message, a red list used for verifying whether the SYN message is the attack message or not and a yellow list used for storing connection information to be determined whether the SYN message is the attack or not, wherein the connection information comprises a source IP address, a destination IP address and a port number;
setting the state of the source IP address which is not connected within time in the white list as to-be-determined;
determining a processing mode of the SYN message according to the source IP address of the SYN message and the constructed white list and other lists, wherein the processing mode comprises the following steps:
if the source IP address of the SYN message is in the state of waiting to be determined in the white list and the SYN message is the first SYN message sent after the source IP address is set to be determined, discarding the SYN message;
if the source IP address of the SYN message is in the state of waiting to be determined in the white list and the SYN message is not the first SYN message sent after the source IP address is set to be determined, replying a correct SYN confirmation message;
if the confirmation message sent by the source IP address is received within the overtime, replying a connection release message, setting the state of the source IP address in the white list to be normal, and waiting for the source IP address to send the SYN message again.
2. The method of claim 1, wherein the firewall includes a designated processor and other processors, and wherein determining the handling of the SYN message based on the source IP address of the SYN message and the constructed whitelist and other lists comprises:
when the appointed processor receives the SYN message and verifies that the source IP address of the SYN message is not in the white list, verifying whether the IP address of the SYN message is in the black list or not;
if the appointed processor determines that the IP address of the SYN message is in the blacklist, discarding the SYN message; or, if the specified processor determines that the IP address of the SYN message is not in the blacklist, determining a processing mode of the SYN message according to the red list;
and when the other processors receive the SYN message and verify that the source IP address of the SYN message is not in the white list, determining a processing mode of the SYN message according to the red list.
3. The method of claim 2, wherein determining the handling of the SYN packet according to the red list comprises:
if the source IP address of the SYN message is not in the red list of the current processor receiving the SYN message, adding the source IP address into the red list of the current processor, and discarding the SYN message;
if the SYN message is the 2 nd to N (fourth) SYN messages sent by the source IP address, replying an error SYN confirmation message; after replying an incorrect SYN confirmation message, if a connection release message sent by the source IP address is received, cutting the source IP address from a red list of the current processor into a white list;
if the SYN message is the N +1 SYN message sent by the source IP address, the message is discarded, and the source IP address is cut from the red list of the current processor into the black list.
4. The method of claim 2, wherein the blacklist includes a source IP address blacklist and a destination IP address blacklist, the method further comprising:
adding the source IP addresses of which the number of the connections in the uncompleted state exceeds a preset threshold value into the source IP address blacklist, and performing hardware configuration so that SYN messages sent by the source IP addresses added into the source IP address blacklist are received by the appointed processor;
adding the destination IP addresses of which the number of the connections in an uncompleted state exceeds a preset threshold value and the corresponding source IP addresses into the destination IP address blacklist, and performing hardware configuration so as to enable SYN messages requesting connection establishment with the destination IP addresses in the destination IP address blacklist to be received by the appointed processor;
verifying whether the IP address of the SYN message is in the blacklist, including:
the designated processor verifies whether the source IP address of the SYN message is in the source IP address blacklist, and verifies whether the destination IP address and the source IP address of the SYN message are in the destination IP address blacklist.
5. The method of claim 1, further comprising:
after receiving the confirmation message sent by the source IP address within the overtime and replying the connection release message, counting the abnormal times of the source IP address by one;
when the abnormal times of the source IP address reach a time threshold value, adding the connection information of the SYN message received after replying the connection release message into the yellow list, and marking the source IP address in the white list into a yellow list state;
determining a processing mode of the SYN message according to the source IP address of the SYN message and the constructed white list and other lists, wherein the processing mode comprises the following steps:
if the source IP address of the received SYN message is in the white list and carries a yellow list state mark, inquiring whether the source IP address is in the yellow list or not according to the connection information of the received SYN message;
if the source IP address is in the yellow list, replying a correct SYN confirmation message, wherein if the confirmation message is received within the overtime, replying a connection release message, and waiting for the source IP address to resend the SYN message so as to establish connection; or, if the confirmation message is not received within the timeout time and the confirmation message is not received after the SYN confirmation messages of the preset times are replied, marking the connection information as the attack.
6. A firewall, comprising:
a non-transitory computer-readable storage medium;
a plurality of processors for receiving SYN messages; and when the firewall is determined to be attacked, determining a processing mode of the SYN message according to the source IP address of the SYN message, the constructed white list and other lists, and setting the state of the source IP address which is not connected within time out in the white list as to-be-determined;
the white list is used for storing the source IP address of successful three-way handshake; the other lists comprise at least one of a blacklist used for storing attack IP addresses, a red list used for verifying whether the SYN message is an attack message or not and a yellow list used for storing connection information to be determined whether the SYN message is an attack or not, wherein the connection information comprises a source IP address, a destination IP address and a port number;
determining a processing mode of the SYN message according to the source IP address of the SYN message and the constructed white list and other lists, wherein the processing mode comprises the following steps:
if the source IP address of the SYN message is in the state of waiting to be determined in the white list and the SYN message is the first SYN message sent after the source IP address is set to be determined, discarding the SYN message;
if the source IP address of the SYN message is in the state of waiting to be determined in the white list and the SYN message is not the first SYN message sent after the source IP address is set to be determined, replying a correct SYN confirmation message;
if the confirmation message sent by the source IP address is received within the overtime, replying a connection release message, setting the state of the source IP address in the white list to be normal, and waiting for the source IP address to send the SYN message again.
7. The firewall according to claim 6, wherein the plurality of processors comprises a designated processor and other processors, the designated processor configured to:
when the SYN message is received and the source IP address of the SYN message is verified not to be in the white list, verifying whether the IP address of the SYN message is in the black list or not;
if the IP address of the SYN message is determined to be in the blacklist, discarding the SYN message; or, if the IP address of the SYN message is determined not to be in the blacklist, determining a processing mode of the SYN message according to the red list of the current processor receiving the SYN message;
the other processor is to:
and when the SYN message is received and the source IP address of the SYN message is verified not to be in the white list, determining a processing mode of the SYN message according to the red list of the current processor receiving the SYN message.
8. An anti-attack SYN message processing device is applied to a firewall and is characterized by comprising the following components:
a message receiving module for receiving SYN message;
the processing module is used for determining a processing mode of the SYN message according to the source IP address of the SYN message, the constructed white list and other lists when the firewall is determined to be attacked;
setting the state of the source IP address which is not connected within time in the white list as a module to be determined;
the white list is used for storing the source IP address of successful three-way handshake; the other lists comprise at least one of a blacklist used for storing attack IP addresses, a red list used for verifying whether the SYN message is an attack message or not and a yellow list used for storing connection information to be determined whether the SYN message is an attack or not, wherein the connection information comprises a source IP address, a destination IP address and a port number;
wherein the processing module is configured to:
if the source IP address of the SYN message is in the state of waiting to be determined in the white list and the SYN message is the first SYN message sent after the source IP address is set to be determined, discarding the SYN message;
if the source IP address of the SYN message is in the state of waiting to be determined in the white list and the SYN message is not the first SYN message sent after the source IP address is set to be determined, replying a correct SYN confirmation message;
if the confirmation message sent by the source IP address is received within the overtime, replying a connection release message, setting the state of the source IP address in the white list to be normal, and waiting for the source IP address to send the SYN message again.
9. A non-transitory computer readable storage medium including one or more programs for performing the method of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810308208.8A CN108551446B (en) | 2018-04-08 | 2018-04-08 | Anti-attack SYN message processing method and device, firewall and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810308208.8A CN108551446B (en) | 2018-04-08 | 2018-04-08 | Anti-attack SYN message processing method and device, firewall and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108551446A CN108551446A (en) | 2018-09-18 |
| CN108551446B true CN108551446B (en) | 2020-11-27 |
Family
ID=63514233
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810308208.8A Active CN108551446B (en) | 2018-04-08 | 2018-04-08 | Anti-attack SYN message processing method and device, firewall and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108551446B (en) |
Families Citing this family (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109587163B (en) * | 2018-12-27 | 2022-08-16 | 网宿科技股份有限公司 | Protection method and device in DR mode |
| CN110213254A (en) * | 2019-05-27 | 2019-09-06 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and apparatus that Internet protocol IP packet is forged in identification |
| CN112311731A (en) * | 2019-07-29 | 2021-02-02 | 联合汽车电子有限公司 | Vehicle-mounted processor, vehicle-mounted controller and communication method |
| CN110912907B (en) * | 2019-11-28 | 2022-08-26 | 杭州迪普科技股份有限公司 | Attack protection method and device in SSL handshake phase |
| CN112910831A (en) * | 2019-12-04 | 2021-06-04 | 中兴通讯股份有限公司 | Message matching method and device, firewall equipment and storage medium |
| CN111083154A (en) * | 2019-12-24 | 2020-04-28 | 北京网太科技发展有限公司 | Safety protection method, device and storage medium |
| CN111614629B (en) * | 2020-04-29 | 2022-04-22 | 浙江德迅网络安全技术有限公司 | Dynamic defense system and method for CC attack |
| CN111756713B (en) * | 2020-06-15 | 2022-12-27 | Oppo广东移动通信有限公司 | Network attack identification method and device, computer equipment and medium |
| CN112714102A (en) * | 2020-12-02 | 2021-04-27 | 国家计算机网络与信息安全管理中心 | SYN Flood attack defense method under multi-core heterogeneous platform |
| CN112769791A (en) * | 2020-12-30 | 2021-05-07 | 北京天融信网络安全技术有限公司 | Network defense method and device |
| CN112565309B (en) * | 2021-02-26 | 2021-05-14 | 腾讯科技(深圳)有限公司 | Message processing method, device, equipment and storage medium |
| CN113709105B (en) * | 2021-07-20 | 2023-08-29 | 深圳市风云实业有限公司 | SYN Flood attack detection method based on counting type bloom filter |
| CN113783857B (en) * | 2021-08-31 | 2023-11-07 | 新华三信息安全技术有限公司 | Anti-attack method, device, equipment and machine-readable storage medium |
| CN115987536A (en) * | 2021-10-15 | 2023-04-18 | 华为技术有限公司 | Message source address identification method and device |
| CN115102781B (en) * | 2022-07-14 | 2024-01-09 | 中国电信股份有限公司 | Network attack processing method, device, electronic equipment and medium |
| CN115225368A (en) * | 2022-07-15 | 2022-10-21 | 北京天融信网络安全技术有限公司 | Message processing method and device, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103916389A (en) * | 2014-03-19 | 2014-07-09 | 汉柏科技有限公司 | Method for preventing HttpFlood attack and firewall |
| WO2016029126A1 (en) * | 2014-08-21 | 2016-02-25 | Verasynth Inc. | Secure integration of web and mobile applications with enterprise application servers |
| CN105827646A (en) * | 2016-05-17 | 2016-08-03 | 浙江宇视科技有限公司 | SYN attack protecting method and device |
| CN106034056A (en) * | 2015-03-18 | 2016-10-19 | 北京启明星辰信息安全技术有限公司 | Service safety analysis method and system thereof |
| CN107864156A (en) * | 2017-12-18 | 2018-03-30 | 东软集团股份有限公司 | Ssyn attack defence method and device, storage medium |
-
2018
- 2018-04-08 CN CN201810308208.8A patent/CN108551446B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103916389A (en) * | 2014-03-19 | 2014-07-09 | 汉柏科技有限公司 | Method for preventing HttpFlood attack and firewall |
| WO2016029126A1 (en) * | 2014-08-21 | 2016-02-25 | Verasynth Inc. | Secure integration of web and mobile applications with enterprise application servers |
| CN106034056A (en) * | 2015-03-18 | 2016-10-19 | 北京启明星辰信息安全技术有限公司 | Service safety analysis method and system thereof |
| CN105827646A (en) * | 2016-05-17 | 2016-08-03 | 浙江宇视科技有限公司 | SYN attack protecting method and device |
| CN107864156A (en) * | 2017-12-18 | 2018-03-30 | 东软集团股份有限公司 | Ssyn attack defence method and device, storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108551446A (en) | 2018-09-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108551446B (en) | Anti-attack SYN message processing method and device, firewall and storage medium | |
| US10284594B2 (en) | Detecting and preventing flooding attacks in a network environment | |
| US8800001B2 (en) | Network authentication method, method for client to request authentication, client, and device | |
| CN101180826B (en) | Upper-level protocol authentication | |
| CN109639712B (en) | Method and system for preventing DDOS attack | |
| CN107395632B (en) | SYN Flood protection method, device, cleaning equipment and medium | |
| CN110784464B (en) | Client verification method, device and system for flooding attack and electronic equipment | |
| CN110365658B (en) | Reflection attack protection and flow cleaning method, device, equipment and medium | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| Kavisankar et al. | A mitigation model for TCP SYN flooding with IP spoofing | |
| CN104883360A (en) | ARP spoofing fine-grained detecting method and system | |
| JP2016036095A (en) | Controller and attacker detection method thereof | |
| CN105812318A (en) | Method, controller and system for preventing attack in network | |
| CN110213204B (en) | Attack protection method and device, equipment and readable storage medium | |
| CN104901953A (en) | Distributed detection method and system for ARP (Address Resolution Protocol) cheating | |
| WO2019096104A1 (en) | Attack prevention | |
| CN108418844B (en) | Application layer attack protection method and attack protection terminal | |
| US9298175B2 (en) | Method for detecting abnormal traffic on control system protocol | |
| CN114697088B (en) | Method and device for determining network attack and electronic equipment | |
| CN113660666A (en) | Two-way request response detection method for man-in-the-middle attack | |
| CN104348785B (en) | The method, apparatus and system for preventing host PMTU from attacking in IPv6 nets | |
| CN112055028B (en) | Network attack defense method, device, electronic equipment and storage medium | |
| Junaid et al. | An indigenous solution for SYN flooding | |
| CN111526126B (en) | Data security transmission method, data security device and system | |
| CN114567484B (en) | Message processing method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |