CN108810008B - Transmission control protocol flow filtering method, device, server and storage medium - Google Patents

Transmission control protocol flow filtering method, device, server and storage medium Download PDF

Info

Publication number
CN108810008B
CN108810008B CN201810685411.7A CN201810685411A CN108810008B CN 108810008 B CN108810008 B CN 108810008B CN 201810685411 A CN201810685411 A CN 201810685411A CN 108810008 B CN108810008 B CN 108810008B
Authority
CN
China
Prior art keywords
message
transmission control
baseline
rate
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810685411.7A
Other languages
Chinese (zh)
Other versions
CN108810008A (en
Inventor
陈国�
杨磊
罗喜军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201810685411.7A priority Critical patent/CN108810008B/en
Publication of CN108810008A publication Critical patent/CN108810008A/en
Application granted granted Critical
Publication of CN108810008B publication Critical patent/CN108810008B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a transmission control protocol flow filtering method, a device, a server and a storage medium, and belongs to the field of network security. The method comprises the following steps: when the server is attacked by black hole challenge, a trusted source Internet protocol address and an untrusted source Internet protocol address in a source Internet protocol address of a transmission control protocol message sent to the server are determined based on a source Internet protocol address trust list of the server. And sending the transmission control protocol message of the trusted source Internet protocol address to the server. And judging whether the transmission control protocol message of the untrusted source Internet protocol address is intercepted or not by utilizing a synchronous sequence number message rate baseline, a transmission control protocol message length baseline and a transmission control protocol message rate baseline of the untrusted source Internet protocol address.

Description

Transmission control protocol flow filtering method, device, server and storage medium
Technical Field
The present invention relates to the field of network security, and in particular, to a method and an apparatus for filtering tcp traffic, a server, and a storage medium.
Background
Distributed Denial of Service (DDoS) attacks refer to a hacker initiating a large amount of abnormal traffic to a destination server by controlling a dead network Distributed in various places, and the server is busy processing the abnormal traffic, cannot process a normal user request, even crashes the system, and causes Denial of Service.
A black hole challenge (CC) attack is a very common DDoS attack. An attacking end (e.g., a controlled client) establishes a Transmission Control Protocol (TCP) connection with an attacked end (e.g., an attacked server), and then sends a large amount of TCP spam messages to the attacked end, so as to block the bandwidth of the attacked end, thereby causing traffic paralysis.
The traditional CC attack protection scheme is implemented by using watermark protection, and when the client sends an uplink TCP packet to the server, a watermark field calculated by a predetermined algorithm needs to be carried in the TCP packet. And the protection end is arranged between the client and the server, and judges whether the TCP message is forwarded to the server or not by verifying the validity of the watermark field in the uplink TCP message, so that the illegal message is intercepted. However, this protection scheme requires modification of the code of the client, and the access cost and threshold are high; in addition, the length of the TCP message carrying the watermark field is increased, and the uplink flow cost is increased.
Disclosure of Invention
The method aims to solve the problems that the access cost and the threshold of a client are higher and the uplink flow cost is increased when the watermark protection CC attack is adopted in the related technology. The embodiment of the invention provides a TCP flow filtering method, a device, a server and a storage medium. The technical scheme is as follows:
in one aspect, a TCP traffic filtering method is provided, where the method includes:
when a server is attacked by CC, determining a trusted source IP address and an untrusted source IP address in a source IP address of a TCP message sent to the server based on a source IP address trust list of the server, wherein the trusted source IP address is a source IP address in the source IP address trust list, and the untrusted source IP address is a source IP address not in the source IP address trust list. And sending the TCP message of the IP address of the trusted source to the server. And judging whether to intercept the TCP message of the non-trusted source IP address by utilizing the SYN message rate baseline, the TCP message length baseline and the TCP message rate baseline of the non-trusted source IP address.
In another aspect, a TCP flow filtering apparatus is provided, the apparatus including:
and the judging module is used for determining a trusted source IP address and a non-trusted source IP address in the source IP address of the TCP message sent to the server based on the source IP address trust list of the server when the server is attacked by the CC, wherein the trusted source IP address is the source IP address in the source IP address trust list, and the non-trusted source IP address is the source IP address not in the source IP address trust list. The filtering module is used for sending the TCP message of the trust source IP address to the server; and judging whether to intercept the TCP message of the non-trusted source IP address by utilizing the SYN message rate baseline, the TCP message length baseline and the TCP message rate baseline of the non-trusted source IP address.
In another aspect, a server is further provided, where the server includes a processor and a memory, where the memory stores at least one instruction, and the instruction is loaded and executed by the processor to implement the TCP traffic filtering method according to the first aspect.
In another aspect, a computer-readable storage medium is provided, in which at least one instruction is stored, and the instruction is loaded and executed by a processor to implement the TCP traffic filtering method according to the first aspect.
The technical scheme provided by the embodiment of the invention has the following beneficial effects:
when the server is attacked by the CC, whether each source IP address of the TCP message of the server is a trusted source IP address is judged, if so, the TCP message of the trusted source IP address is directly forwarded, and the TCP service of a normal client side cannot be influenced. If not, judging the non-trusted source IP address by using the SYN message rate baseline, the TCP message length baseline and the TCP message rate baseline, judging whether the TCP message of the non-trusted source IP address is abnormal or not, and further determining whether to discard the TCP message of the non-trusted source IP address or forward the TCP message of the non-trusted source IP address. By adopting the method, the watermark field does not need to be carried in the uplink TCP message, so that the code of the client does not need to be modified, the cost is low, the threshold is low, and the method is suitable for the cloud service scene. Meanwhile, the length of the TCP message is unchanged, and the uplink flow cost is saved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic flow chart of a CC attack;
fig. 2 is a schematic topology diagram of a TCP traffic filtering system according to an embodiment of the present invention;
fig. 3 is a flowchart of a TCP flow filtering method according to an embodiment of the present invention;
fig. 4 is a flowchart of another TCP traffic filtering method according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a TCP flow filtering apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a server according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
In order to facilitate understanding of the technical solution provided by the embodiment of the present invention, the following describes problems existing in the existing CC attack protection scheme:
fig. 1 is a schematic flow diagram of a CC attack, where the CC attack is a four-layer CC attack, where the four layers are fourth layers in Open System Interconnection (OSI), and a specific process of the CC attack is shown in fig. 1, where an attacking end and an attacked end (attacked server) establish a TCP connection through 3 handshakes. As shown in fig. 1, the attacking end first sends a synchronization Sequence number (SYN) message to the attacked end, the attacked end returns a SYN Acknowledgement (SYN ACK) message, and then the attacking end sends an ACK message to the attacked end, completing 3-way handshake. After the TCP connection is established, the attacking end sends a large amount of TCP junk messages to the attacked end, so that the bandwidth of the attacked end is blocked, and the service is paralyzed.
The traditional CC attack protection scheme is realized by adopting watermark protection, and a client needs to carry a watermark field calculated by a predetermined algorithm in a TCP message when the uplink TCP message is transmitted. And the protection end is arranged between the client (attack end) and the server (attacked end), and judges whether the TCP message is forwarded to the server or not by verifying the validity of the watermark field in the uplink TCP message, so that the illegal message is intercepted. As shown in fig. 1, the protection end detects whether the watermark field in the TCP message is correct, and the TCP spam message is sent by the attack end, and the attack end does not carry the correct watermark field, so the protection end discards the TCP spam message.
However, this protection scheme requires modification of the code of the client, which is time-consuming, labor-consuming, and costly to access, and also results in a high access threshold. In addition, the length of the TCP message carrying the watermark field is increased, and the uplink flow cost is increased. In order to solve the above problem, an embodiment of the present invention provides a TCP traffic filtering method. Before introducing the TCP traffic filtering method of the present application, a simple description is first performed on the architecture of the TCP traffic filtering system (i.e., the protection end).
Fig. 2 is a schematic topology diagram of a TCP traffic filtering system according to an embodiment of the present invention, referring to fig. 2, the TCP traffic filtering system 10 is connected to a router 20, the router 20 is typically a core router in a network, the router 20 is connected to a carrier network 30, and the router 20 is connected to a server 50 through a switch 40, so as to implement communication between the server 50 and other devices in the network. Where a router 20 may connect to multiple switches 40, the switches 40 may be core switches, and each switch 40 may connect to one or more servers 50.
The TCP flow filtering system 10 includes a detection learning subsystem 101, a protection subsystem 102 and a control subsystem 103, where three subsystems may be implemented by separate devices (e.g., servers), or two or three subsystems may be integrated on one device.
Router 20, when transmitting traffic to server 50, generates mirrored traffic and sends the mirrored traffic to the detection learning subsystem 101. The detection learning subsystem 101 learns the TCP messages of each server according to the mirror flow to obtain a source IP address trust list, a SYN message rate baseline, a TCP message length baseline and a TCP message rate baseline; and stores the source IP address trust list, SYN message rate baseline, TCP message length baseline, and TCP message rate baseline in the database of the control subsystem 103. Meanwhile, the detection learning subsystem 101 detects whether each server 50 is under CC attack, and outputs alarm information to the protection subsystem 102 and the control subsystem 103 when detecting that the server 50 is under CC attack.
When the protection subsystem 102 receives the alarm information, a source IP address trust list, a SYN message rate baseline, a TCP message length baseline and a TCP message rate baseline of the server are obtained from the protection subsystem 102. Meanwhile, traffic traction is performed between the protection subsystem 102 and the router 20, the TCP message of the server is pulled to the protection subsystem 102, the protection subsystem 102 filters the TCP message of the server according to the source IP address trust list, the SYN message rate baseline, the TCP message length baseline and the TCP message rate baseline, the filtered TCP message of the server is returned to the router 20, and then the router 20 transmits the filtered TCP message of the server to the server 50.
The server is any one of the servers connected to the router 20.
Fig. 3 is a flowchart of a TCP traffic filtering method according to an embodiment of the present invention, referring to fig. 3, where the method is performed by the foregoing TCP traffic filtering system, and the method includes:
step 101: when the server is attacked by the CC, a trusted source IP address and an untrusted source IP address in the source IP addresses of the TCP message sent to the server are determined based on a source IP address trust list of the server.
In the embodiment of the invention, the trusted source IP address is a source IP address in a source IP address trust list, and the untrusted source IP address is a source IP address which is not in the source IP address trust list.
In the embodiment of the invention, the condition that the server is attacked by the CC means that the server receives a large amount of TCP attack traffic, and in the application, whether the server is attacked by the CC can be determined through the number of newly-built connections, the connection concurrency and the abnormal connection number of the server.
In the embodiment of the invention, the TCP flow is the data transmitted to the server by adopting the TCP protocol and consists of a plurality of TCP messages.
In the embodiment of the present invention, one server may establish TCP connections with a plurality of clients, so as to receive TCP messages sent by the plurality of clients, and the IP address of the client sending the TCP message to the server is the source IP address. When a server is attacked by CC, the TCP messages of the server need to be distinguished, the TCP messages sent by an attacking end are intercepted, and the TCP messages sent by a normal client end are forwarded to the server.
In the embodiment of the present invention, the source IP address trust list is also the white list of the client corresponding to the server, and the TCP packet sent by the client corresponding to the source IP address recorded in the source IP address trust list can be directly forwarded to the server without being verified again in step 103. Each server corresponds to a source IP address trust list, and the IP addresses in the source IP address trust list are acquired by learning within normal transmission time (namely time which is not attacked), so that the IP addresses of the attacking end are prevented from being mixed in the source IP address trust list.
In this step, determining a trusted source IP address and an untrusted source IP address in the source IP addresses of the TCP packet sent to the server may include: searching a source IP address of a TCP message sent to the server in a source IP address trust list; if the source IP address is found, the source IP address is a trusted source IP address, and if the source IP address is not found, the source IP address is an untrusted source IP address.
Step 102: and sending the TCP message of the trusted source IP address to a server.
Here, the TCP packet with the trusted source IP address specifically means a TCP packet in which the source IP address in the TCP packet is the trusted source IP address. In which all TCP messages that trust the IP address of the source may be sent to the server.
The TCP message of the trusted source IP address is directly forwarded, the risk of false killing is reduced, and the influence of a TCP flow filtering method on normal TCP services is avoided.
Step 103: and judging whether to intercept the TCP message of the non-trusted source IP address or not by utilizing the SYN message rate baseline, the TCP message length baseline and the TCP message rate baseline of the non-trusted source IP address.
In step 103, the SYN message rate baseline is compared with the transmission rate of the SYN message of the untrusted source IP address to determine whether the SYN message is abnormal, and further determine whether the TCP message of the untrusted source IP address needs to be intercepted. If the SYN message is abnormal, determining that the TCP message of the non-trusted source IP address needs to be intercepted, and discarding the TCP message of the non-trusted source IP address to avoid attacking the server.
If the SYN message is not abnormal, the TCP message length base line is used for judging whether an abnormally large message exists in the TCP message of the non-trusted source IP address. If the TCP message of the non-trusted source IP address does not have the abnormally large message, the TCP message of the trusted source IP address is sent to the server; if an abnormally large message exists in the TCP message of the non-trusted source IP address, judging whether the non-trusted source IP address is abnormal or not by utilizing a TCP message rate baseline. If the judging result is that the non-trusted source IP address is not abnormal, the TCP message of the non-trusted source IP address is sent to a server; if the judging result is that the IP address of the non-trusted source is abnormal, the TCP message of the IP address of the non-trusted source is discarded.
According to the method and the device, when the server is attacked by the CC, whether each source IP address of the TCP message of the server is a trusted source IP address or not is judged firstly, if yes, the TCP message of the trusted source IP address is directly forwarded, and the TCP service of a normal client side cannot be influenced. If not, judging the non-trusted source IP address by using the SYN message rate baseline, the TCP message length baseline and the TCP message rate baseline, judging whether the TCP message of the non-trusted source IP address is abnormal or not, and further determining whether to discard the TCP message of the non-trusted source IP address or forward the TCP message of the non-trusted source IP address. By adopting the method, the watermark field does not need to be carried in the uplink TCP message, so that the code of the client does not need to be modified, the cost is low, the threshold is low, and the method is suitable for the cloud service scene. Meanwhile, the length of the TCP message is unchanged, and the uplink flow cost is saved.
Fig. 4 is a flowchart of another TCP traffic filtering method provided in an embodiment of the present invention, referring to fig. 4, where the method is executed by the foregoing TCP traffic filtering system, and the flow of the method includes:
step 201: and counting the number of newly-built connections, the connection concurrency and the abnormal connection number of the server in unit time.
Specifically, the TCP traffic filtering system receives mirror traffic sent by the router, where the mirror traffic includes both TCP traffic and other traffic, such as UDP traffic. And counting the number of newly-built connections, the connection concurrency and the abnormal connection number of the TCP connection of each server in unit time.
The TCP connection of the server is counted according to the quintuple (protocol, source port, source IP address, destination port and destination IP address) of the message in the TCP flow, and the newly-established connection number and the connection concurrency are determined according to the counted TCP connection of the server. The number of newly-created connections is the number of newly-created TCP connections in the current unit time (for example, one minute) compared with the previous unit time, and the connection concurrency is the number of TCP connections existing in the current unit time.
The abnormal connection number refers to the number of abnormal TCP connections in the TCP connections currently existing in the unit time. An abnormal TCP connection may be determined as follows: when the TCP connection meets any one of the following conditions, determining that the TCP connection is abnormal:
the load of the message transmitted by the TCP connection begins with the GET field, and the message length is more than 500 bytes.
The continuous repetition times of a single byte of a load of a message transmitted by TCP connection exceed a preset value, and the length of the message is more than 500 bytes.
The payload of the packet transmitted by the TCP connection starts with # and the packet length is 500 bytes or more.
In the messages transmitted in the TCP connection, the sequence (seq) number of the message is increasing, but the acknowledgement (ack) number remains unchanged.
The four-layer CC attacks of the existing network are found to have commonalities through big data analysis, namely, the situations often occur, and the situations occur when normal services are extremely small, so the situations are judged to be abnormal TCP connections.
In the embodiment of the invention, the mirror flow sent by the router comprises TCP flows of a plurality of servers, so that the newly-built connection number, the connection concurrency amount and the abnormal connection number of each server are respectively counted during the counting. When the mirror traffic includes TCP traffic of a plurality of servers, subsequent steps also need to be performed separately for the TCP traffic of each server.
Step 202: and judging whether the server is attacked by the CC according to the number of newly-built connections, the connection concurrency and the abnormal connection number of the server.
Specifically, the newly created connection number of the server within the unit time is compared with a newly created connection number safety threshold of the server, the connection concurrency amount of the server within the unit time is compared with a connection concurrency amount safety threshold of the server, and the abnormal connection number of the server within the unit time is compared with an abnormal connection number safety threshold of the server.
And when any one of the number of newly-built connections, the connection concurrency and the abnormal connection number of the server exceeds a corresponding safety threshold value, determining that the server is attacked by the CC. And when the number of newly-built connections, the connection concurrency and the abnormal connection number of the server all exceed the corresponding safety threshold values, determining that the server is not attacked by the CC.
In the embodiment of the present invention, the newly-established connection number safety threshold, the connection concurrency quantity safety threshold, and the abnormal connection number safety threshold may be determined in the following manner: and determining a newly-built connection number baseline and a connection concurrency baseline of the server. And multiplying the newly-built connection number baseline by A to obtain a newly-built connection number safety threshold, multiplying the connection concurrency quantity baseline by B to obtain a connection concurrency quantity safety threshold, and multiplying the newly-built connection number baseline by C to obtain an abnormal connection number safety threshold, wherein A and B are greater than 1, and C is greater than 0 and less than 1.
The newly-established connection number baseline is specifically a threshold of the newly-established connection number, the connection concurrency amount baseline is specifically a threshold of the connection concurrency amount, and the newly-established connection number baseline and the connection concurrency amount baseline can be obtained through learning and then stored in a database.
The values of A, B and C can be selected according to actual needs, for example, the values of a and B can be 2, and the value of C can be 2/3.
The newly-established connection number baseline and the connection concurrency baseline characterize normal service behaviors, and the safety threshold is used for limiting abnormal service behaviors, so that a coefficient, namely A, B, C, needs to be multiplied on the basis of the newly-established connection number baseline and the connection concurrency baseline.
Further, the method further comprises: and recording the time when the server is attacked by the CC, wherein the time when the server is attacked by the CC comprises a starting time and an ending time. The start time refers to the time when the server is detected to start to be attacked by the CC in step 202, and the end time refers to the time when the server is detected to start not to be attacked by the CC in step 202.
Step 203: and learning the TCP message of the server to obtain a source IP address trust list, a SYN message rate baseline, a TCP message length baseline and a TCP message rate baseline.
The source IP address trust list is also the white list of the client corresponding to the server, and the TCP packet sent by the client corresponding to the source IP address recorded in the source IP address trust list can be directly forwarded to the server without being verified again in step 103. Each server corresponds to a source IP address trust list, and the IP addresses in the source IP address trust lists are acquired through learning within normal transmission time, so that the IP addresses of the attack ends are prevented from being mixed in the source IP address trust lists.
In the embodiment of the present invention, the learning process of the source IP address trust list is as follows:
and recording the source IP address of the TCP message. When recording, the source IP address and the corresponding time, that is, the time for acquiring the TCP packet sent by the source IP address, need to be recorded at the same time.
And deleting the source IP address recorded when the server is attacked by the CC.
Selecting source IP addresses which appear in at least M periods of continuous N periods to generate a source IP address trust list, wherein N and M are integers, and N is more than or equal to M and is more than 1.
Wherein, the N consecutive periods can be designed as required, for example, 7 consecutive periods, such as 7 days. And if the source IP address appears in 2 periods of the 7 periods, determining that the source IP address is trusted, and writing the source IP address into a source IP address trust list.
In the embodiment of the invention, the learning process of the SYN message rate baseline, the TCP message length baseline and the TCP message rate baseline is as follows:
and acquiring SYN message rate, TCP message length and TCP message rate in the TCP message of the server. When recording, the SYN message rate, the TCP message length, and the TCP message rate, as well as the corresponding time and the source IP address need to be recorded at the same time, where the SYN message rate and the TCP message rate may be recorded once per unit time, for example, once every 1 minute.
And deleting the SYN message rate, the TCP message length and the TCP message rate which are obtained when the server is attacked by the CC.
And periodically generating a SYN message rate baseline, a TCP message length baseline and a TCP message rate baseline according to the obtained SYN message rate, TCP message length and TCP message rate.
In this step, when each cycle time is over, the SYN message rate, the TCP message length, and the TCP message rate of the server obtained in the cycle time are counted to obtain a SYN message rate baseline, a TCP length baseline, and a TCP message rate baseline. After the SYN message rate base line, the TCP length base line and the TCP message rate base line are generated in each period, the SYN message rate base line, the TCP length base line and the TCP message rate base line obtained in the last period are updated.
Illustratively, the cycle time may be one day.
The method for periodically generating the SYN message rate baseline, the TCP message length baseline and the TCP message rate baseline according to the obtained SYN message rate, the TCP message length and the TCP message rate comprises the following steps:
calculating the standard deviation of the SYN message rate in the period, adding the standard deviation of X times to the average value of the SYN message rate to obtain a first numerical value, if the first numerical value is less than or equal to the first rate threshold value, using the first rate threshold value as the base line of the SYN message rate, if the first numerical value is greater than the first rate threshold value, using the first numerical value as the base line of the SYN message rate, wherein X is greater than 1.
And calculating the average value and the standard deviation of the TCP message length in the period, adding Y times of the standard deviation to the average value of the TCP message length to obtain a second value, if the second value is less than or equal to the message length threshold, adopting the message length threshold as a TCP message length baseline, and if the second value is greater than the message length threshold, adopting the second value as the TCP message length baseline, wherein Y is greater than 1. The value of Y may be 5, and the second value may be selected according to actual needs, and the unit is byte.
And calculating the average value and the standard deviation of the TCP message rate in the period, adding the standard deviation of Z times to the average value of the TCP message rate to obtain a third value, if the third value is less than or equal to the second rate threshold, adopting the second rate threshold as a TCP message rate baseline, and if the third value is greater than the second rate threshold, adopting the third value as the TCP message rate baseline, wherein Z is greater than 1. Wherein, the value of Z can be 5, and the third numerical value can be selected according to actual needs, and the unit is one/second.
Optionally, in step 203, a source IP packet rate baseline may also be learned, which is the same as the TCP packet rate baseline, except that the source IP packet rate baseline is related to the rate of packets of various traffic (e.g., TCP, UDP, ICMP (Internet Control Message Protocol) traffic, etc.) sent to the server.
Further, the TCP traffic filtering system needs to learn the new connection number baseline and the connection concurrency baseline.
In the embodiment of the invention, the learning process of the newly-established connection number baseline and the connection concurrency baseline is as follows:
and recording the number of newly-built connections and the connection concurrency of the server in unit time. When recording, the number of new connections and the connection concurrency and the corresponding time need to be recorded simultaneously. The number of new connections and the recording method of the connection concurrency amount may be the same as step 201.
And deleting the newly-built connection number and the connection concurrency recorded when the server is attacked by the CC.
And periodically generating a new connection number baseline and a connection concurrency baseline according to the acquired new connection number and connection concurrency of the server in unit time.
The method for periodically generating the new connection number baseline and the connection concurrency baseline according to the obtained new connection number and connection concurrency of the server in unit time comprises the following steps:
calculating the average value and the standard deviation of the newly-built connection number in the period, adding the P times of the standard deviation to the average value of the newly-built connection number to obtain a fourth numerical value, if the fourth numerical value is smaller than or equal to the connection number threshold, using the connection number threshold as a newly-built connection number baseline, and if the fourth numerical value is larger than the connection number threshold, using the fourth numerical value as the newly-built connection number baseline, wherein P is larger than 1. For example, the standard deviation of the new connection number is multiplied by 5 times to obtain a fourth value, and if the fourth value is less than or equal to 400, 400 is used as the new connection number baseline, and if the fourth value is greater than 400, the fourth value is used as the new connection number baseline.
And calculating the average value and the standard deviation of the connection concurrency quantity in the period, adding Q times of the standard deviation to the average value of the connection concurrency quantity to obtain a fifth numerical value, if the fifth numerical value is smaller than or equal to the concurrency quantity threshold value, adopting the concurrency quantity threshold value as a connection concurrency quantity baseline, and if the fifth numerical value is larger than the concurrency quantity threshold value, adopting the fifth numerical value as the connection concurrency quantity baseline, wherein Q is larger than 1. Wherein, the value of Q can be 5, and the fifth numerical value can be selected according to actual needs.
In the method flow, steps 201, 202, 203 are executed by the detection learning subsystem in the TCP traffic filtering system shown in fig. 2.
Step 204: and storing a source IP address trust list, a SYN message rate baseline, a TCP message length baseline and a TCP message rate baseline.
For convenience of expression, the following text uses fingerprint characteristic baseline data to refer to a source IP address trust list, a SYN packet rate baseline, a TCP packet length baseline, and a TCP packet rate baseline.
In the embodiment of the present invention, storing the fingerprint characteristic baseline data refers to storing the fingerprint characteristic baseline data in a database. The database stores fingerprint characteristic baseline data of each server. Specifically, the database may include fingerprint characteristic baseline data and an address of a server corresponding to the fingerprint characteristic baseline data, so that it is ensured that the corresponding fingerprint characteristic baseline data can be obtained according to the address of the server in a subsequent process.
The database may be located on a control subsystem in the TCP flow filtration system, and step 204 is performed by a detection learning subsystem in the TCP flow filtration system, which stores the fingerprint characteristic baseline data in a database of the control subsystem. Since the fingerprint characteristic baseline data is generated periodically, the fingerprint characteristic baseline data in the database is also periodically updated. Wherein, the updating means replacing the original fingerprint characteristic baseline data in the database with the new fingerprint characteristic baseline data.
Step 205: when a server is attacked by CC, a trusted source IP address and an untrusted source IP address in a source IP address of a TCP message sent to the server are determined based on a source IP address trust list of the server, wherein the trusted source IP address is a source IP address in the source IP address trust list, and the untrusted source IP address is a source IP address not in the source IP address trust list.
In this embodiment of the present invention, step 205 may include: acquiring a source IP address trust list of the server from a database according to the address of the server; it is determined whether the source IP address of each TCP packet is in the source IP address trust list.
Step 205 may be performed by a guard subsystem in a TCP traffic filtering system.
Optionally, the method further comprises: and when the server is attacked by the CC, generating alarm information.
The alarm information may include a receiving time, an address of the server, and an attack type. Wherein the attack type is CC attack.
The alarm information is generated by the detection learning subsystem and then output to the control subsystem and the protection subsystem. When the protection subsystem receives the alarm information, fingerprint characteristic baseline data of the server is obtained from the control subsystem according to the address of the server in the alarm information.
Step 206: and sending the TCP message of the trusted source IP address to a server.
In this embodiment of the present invention, step 206 is performed by a protection subsystem in the TCP traffic filtering system, and step 206 may include: and carrying out flow traction between the protection subsystem and the router, and drawing the TCP message of the server to the protection subsystem. And then filtering the TCP message of the server according to the fingerprint characteristic baseline data, returning the TCP message of the trusted source IP address to the router, and sending the TCP message to the server by the router.
The traffic traction is carried out between the protection subsystem and the router, and the traction of the TCP message of the server to the TCP traffic filtering system can be realized by the following modes: the protection subsystem is in a Border Gateway Protocol (BGP) neighbor relation with the router. And issuing the traction route of the server to the router, and sending the TCP message of the server to the protection subsystem.
Specifically, two routers can be virtualized in the router: the system comprises a first virtual router and a second virtual router, wherein the first virtual router is responsible for receiving a TCP message of a server, and the second virtual router is responsible for sending the TCP message of the server to the server. The protection subsystem issues a traction route of the server to the first virtual router, the next hop of the traction route is the protection subsystem, a subnet mask of the traction route is longer than a subnet mask of the route of the server learned by the first virtual router, and the first virtual router adopts the traction route as the route of the server according to the longest mask matching principle. The first virtual router sends the received TCP message of the server to the protection subsystem, and the protection subsystem carries out TCP flow filtration. After the server is attacked, the protection subsystem may send information announcing invalidation of the traction route to the first virtual router, so that the TCP packet when the server is not attacked by the CC is no longer sent to the protection subsystem.
The protection subsystem returns the filtered TCP message to the router, and the router sends the filtered TCP message to the server.
Specifically, the protection subsystem sends the TCP packet of the server to the second virtual router after performing TCP traffic filtering, and the TCP packet is sent to the server by the second virtual router.
Step 207: and judging whether to intercept the TCP message of the non-trusted source IP address or not by utilizing the SYN message rate baseline, the TCP message length baseline and the TCP message rate baseline of the non-trusted source IP address.
In the embodiment of the present invention, the determining whether to intercept the TCP packet of the untrusted source IP address includes:
and judging whether the transmission rate of the SYN message of the non-trusted source IP address exceeds the base line of the SYN message rate. Here, it is necessary to determine the transmission rate of the SYN packet of the untrusted source IP address, and then compare the transmission rate of the SYN packet of the untrusted source IP address with the size of the SYN packet rate baseline. Because the number of times of establishing connection by the attack end is more frequent than that by a normal client end, whether the IP address of the non-trusted source is the attack end can be determined through the SYN message rate base line.
And when the transmission rate of the SYN message of the non-trusted source IP address exceeds the SYN message rate base line, intercepting the TCP message of the non-trusted source IP address, namely discarding the TCP message of the non-trusted source IP address. Further, the method may further include: and blacking the IP address of the non-trusted source with the discarded TCP message, and intercepting all subsequent TCP messages of the IP address of the non-trusted source.
And when the transmission rate of the SYN message of the non-trusted source IP address does not exceed the SYN message rate baseline, judging whether a message with the message length exceeding the TCP message length baseline and the rate exceeding the TCP message rate baseline exists in the TCP message of the non-trusted source IP address. Here, the message length and the rate of the TCP message of the untrusted source IP address need to be determined first, the message length may be compared first and then the rate may be compared when comparing, and if the message length exceeds the TCP message length baseline, the rate may be compared, and if the message length does not exceed the TCP message length baseline, the rate may not need to be compared again. Of course, the above comparison sequence may also be comparing the rate first and then comparing the message length. Because the message sent by the attack end is longer and faster than the message sent by the normal client, whether the IP address of the untrusted source is the attack end can be determined through the length baseline of the TCP message and the rate baseline of the TCP message.
If the message with the message length exceeding the TCP message length baseline and the rate exceeding the TCP message rate baseline exists, intercepting the TCP message of the non-trusted source IP address; and if the message with the message length exceeding the TCP message length baseline and the rate exceeding the TCP message rate baseline does not exist, the TCP message of the non-trusted source IP address is sent to the server.
Wherein, the manner of sending the TCP message of the non-trusted source IP address to the server is referred to in step 206.
According to the method and the device, when the server is attacked by the CC, whether each source IP address of the TCP message of the server is a trusted source IP address or not is judged firstly, if yes, the TCP message of the trusted source IP address is directly forwarded, and the TCP service of a normal client side cannot be influenced. If not, the non-trusted source IP address is judged by using the SYN message rate base line, if the SYN message is judged to be abnormal, the TCP message of the non-trusted source IP address is intercepted, and the TCP message of the non-trusted source IP address is discarded, so that the server is prevented from being attacked. If the SYN message is not abnormal, further adopting a TCP message length baseline and a TCP message speed baseline to judge whether the TCP message of the non-trusted source IP address is abnormal. And if the judgment result shows that the TCP message of the non-trusted source IP address is not abnormal, sending the TCP message of the non-trusted source IP address to the server. If the judgment result is that the TCP message of the non-trusted source IP address is abnormal, discarding the TCP message of the non-trusted source IP address. In the mode, the watermark field does not need to be carried in the uplink TCP message, so that the code of the client does not need to be modified, the cost is low, the threshold is low, the length of the TCP message is not changed, and the uplink flow cost is saved. In addition, the source IP address trust list, the SYN message rate baseline, the TCP message length baseline and the TCP message rate baseline are all obtained through learning, so that the scheme can be suitable for different networks, and the application range is wide.
Fig. 5 is a schematic structural diagram of a TCP flow filtering apparatus according to an embodiment of the present invention, and referring to fig. 5, the apparatus 300 includes: a judging module 301 and a filtering module 302.
The determining module 301 is configured to determine, based on a source IP address trust list of a server, a trusted source IP address and an untrusted source IP address in a source IP address of a TCP packet sent to the server when the server is attacked by the CC, where the trusted source IP address is a source IP address in the source IP address trust list, and the untrusted source IP address is a source IP address not in the source IP address trust list. The filtering module 302 is configured to send a TCP packet of the trusted source IP address to the server; and judging whether to intercept the TCP message of the non-trusted source IP address or not by utilizing the SYN message rate baseline, the TCP message length baseline and the TCP message rate baseline of the non-trusted source IP address.
In this embodiment of the present invention, the filtering module 302 is configured to determine whether a transmission rate of a SYN packet of the untrusted source IP address exceeds a SYN packet rate baseline. And intercepting the TCP message of the non-trusted source IP address when the transmission rate of the SYN message of the non-trusted source IP address exceeds the base line of the SYN message rate. And when the transmission rate of the SYN message of the non-trusted source IP address does not exceed the SYN message rate baseline, judging whether a message with the message length exceeding the TCP message length baseline and the rate exceeding the TCP message rate baseline exists in the TCP message of the non-trusted source IP address. If the message with the message length exceeding the TCP message length baseline and the rate exceeding the TCP message rate baseline exists, the TCP message of the non-trusted source IP address is intercepted, and if the message with the message length exceeding the TCP message length baseline and the rate exceeding the TCP message rate baseline does not exist, the TCP message of the non-trusted source IP address is sent to the server.
Further, the apparatus further comprises: a learning module 303 and a storage module 304.
The learning module 303 is configured to learn a TCP packet of the server, and obtain a source IP address trust list, a SYN packet rate baseline, a TCP packet length baseline, and a TCP packet rate baseline. The storage module 304 is configured to store a source IP address trust list, a SYN packet rate baseline, a TCP packet length baseline, and a TCP packet rate baseline.
In this embodiment of the present invention, the learning module 303 is configured to record a source IP address of the TCP packet. And deleting the source IP address recorded when the server is attacked by the CC. Selecting source IP addresses which appear in at least M periods of continuous N periods to generate a source IP address trust list, wherein N and M are integers, and N is more than or equal to M and is more than 1.
In this embodiment of the present invention, the learning module 303 is configured to obtain a SYN packet rate, a TCP packet length, and a TCP packet rate in a TCP packet of the server. And deleting the SYN message rate, the TCP message length and the TCP message rate which are obtained when the server is attacked by the CC. And periodically generating a SYN message rate baseline, a TCP message length baseline and a TCP message rate baseline according to the obtained SYN message rate, TCP message length and TCP message rate.
In this embodiment of the present invention, the learning module 303 is configured to calculate an average value and a standard deviation of the SYN message rate in the period, and add the average value of the SYN message rate to a standard deviation of X times to obtain a first value, if the first value is smaller than or equal to a first rate threshold, use the first rate threshold as a SYN message rate baseline, and if the first value is greater than the first rate threshold, use the first value as the SYN message rate baseline, where X is greater than 1. And calculating the average value and the standard deviation of the TCP message length in the period, adding Y times of the standard deviation to the average value of the TCP message length to obtain a second value, if the second value is less than or equal to the message length threshold, adopting the message length threshold as a TCP message length baseline, and if the second value is greater than the message length threshold, adopting the second value as the TCP message length baseline, wherein Y is greater than 1. And calculating the average value and the standard deviation of the TCP message rate in the period, adding the standard deviation of Z times to the average value of the TCP message rate to obtain a third value, if the third value is less than or equal to the second rate threshold, adopting the second rate threshold as a TCP message rate baseline, and if the third value is greater than the second rate threshold, adopting the third value as the TCP message rate baseline, wherein Z is greater than 1.
Further, the apparatus further comprises: a detection module 305.
The detection module 305 is used for counting the number of newly-built connections, the connection concurrency amount and the abnormal connection number of the server in unit time. And comparing the newly-built connection number of the server in the unit time with a newly-built connection number safety threshold of the server, comparing the connection concurrency of the server in the unit time with a connection concurrency safety threshold of the server, and comparing the abnormal connection number of the server in the unit time with an abnormal connection number safety threshold of the server. And when any one of the number of newly-built connections, the connection concurrency and the abnormal connection number of the server exceeds a corresponding safety threshold value, determining that the server is attacked by the CC.
In this embodiment of the present invention, the learning module 303 is further configured to record the number of newly created connections and the connection concurrency amount of the server in a unit time. And deleting the newly-built connection number and the connection concurrency recorded when the server is attacked by the CC. And periodically generating a new connection number baseline and a connection concurrency baseline according to the acquired new connection number and connection concurrency of the server in unit time. And multiplying the newly-built connection number baseline by A to obtain a newly-built connection number safety threshold, multiplying the connection concurrency quantity baseline by B to obtain a connection concurrency quantity safety threshold, and multiplying the newly-built connection number baseline by C to obtain an abnormal connection number safety threshold, wherein A and B are greater than 1, and C is greater than 0 and less than 1.
In this embodiment of the present invention, the learning module 303 is configured to calculate an average value and a standard deviation of the newly-built connection number in the period, and add the average value of the newly-built connection number to a P-fold standard deviation to obtain a fourth value, where if the fourth value is less than or equal to the connection number threshold, the connection number threshold is used as a baseline of the newly-built connection number, and if the fourth value is greater than the connection number threshold, the fourth value is used as a baseline of the newly-built connection number, and P is greater than 1. And calculating the average value and the standard deviation of the connection concurrency quantity in the period, adding Q times of the standard deviation to the average value of the connection concurrency quantity to obtain a fifth numerical value, if the fifth numerical value is smaller than or equal to the concurrency quantity threshold value, adopting the concurrency quantity threshold value as a connection concurrency quantity baseline, and if the fifth numerical value is larger than the concurrency quantity threshold value, adopting the fifth numerical value as the connection concurrency quantity baseline, wherein Q is larger than 1.
It should be noted that: in the TCP traffic filtering apparatus provided in the foregoing embodiment, when the TCP traffic filtering method is implemented, only the division of the functional modules is illustrated, and in practical applications, the function distribution may be completed by different functional modules according to needs, that is, the internal structure of the apparatus is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the TCP flow filtering apparatus provided in the foregoing embodiment and the TCP flow filtering method embodiment belong to the same concept, and specific implementation processes thereof are described in the method embodiment and are not described herein again.
Fig. 6 is a schematic structural diagram of a server according to an embodiment of the present invention. The server may be a TCP traffic filtering system. Specifically, the method comprises the following steps:
the TCP traffic filtering system 400 includes a Central Processing Unit (CPU)401, a system memory 404 including a Random Access Memory (RAM)402 and a Read Only Memory (ROM)403, and a system bus 405 connecting the system memory 404 and the central processing unit 401. The TCP traffic filtering system 400 also includes a basic input/output system (I/O system) 406 to facilitate the transfer of information between devices within the computer, and a mass storage device 407 for storing an operating system 413, application programs 414, and other program modules 415.
The basic input/output system 406 includes a display 408 for displaying information and an input device 409 such as a mouse, keyboard, etc. for user input of information. Wherein a display 408 and an input device 409 are connected to the central processing unit 401 through an input output controller 410 connected to the system bus 405. The basic input/output system 406 may also include an input/output controller 410 for receiving and processing input from a number of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, input/output controller 410 may also provide output to a display screen, a printer, or other type of output device.
The mass storage device 407 is connected to the central processing unit 401 through a mass storage controller (not shown) connected to the system bus 405. The mass storage device 407 and its associated computer-readable media provide non-volatile storage for the TCP traffic filtering system 400. That is, the mass storage device 407 may include a computer-readable medium (not shown) such as a hard disk or CD-ROM drive.
Without loss of generality, computer readable media may comprise computer storage media and communication media. Computer storage 13 media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes RAM, ROM, EPROM, EEPROM, flash memory or other solid state memory technology, CD-ROM, DVD, or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices. Of course, those skilled in the art will appreciate that computer storage media is not limited to the foregoing. The system memory 404 and mass storage device 407 described above may be collectively referred to as memory.
According to various embodiments of the invention, TCP traffic filtering system 400 may also operate as a remote computer connected to a network via a network, such as the internet. That is, the TCP traffic filtering system 400 may be coupled to the network 412 through the network interface unit 411 that is coupled to the system bus 405, or may be coupled to other types of networks or remote computer systems (not shown) using the network interface unit 411.
The memory further includes one or more programs, and the one or more programs are stored in the memory and configured to be executed by the CPU. The CPU 401 implements the TCP traffic filtering method shown in fig. 3 or fig. 4 by executing the one or more programs.
Embodiments of the present invention also provide a non-transitory computer-readable storage medium, where instructions in the storage medium, when executed by a processor of a TCP traffic filtering system, enable the TCP traffic filtering system to perform the TCP traffic filtering method provided in the embodiment shown in fig. 3 or fig. 4.
A computer program product containing instructions which, when run on a computer, cause the computer to perform the TCP traffic filtering method provided by the embodiment of fig. 3 or fig. 4 described above.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (9)

1. A tcp traffic filtering method, the method comprising:
when a server is attacked by black hole challenge, determining a trusted source Internet protocol address and an untrusted source Internet protocol address in a source Internet protocol address of a transmission control protocol message sent to the server based on a source Internet protocol address trust list of the server, wherein the trusted source Internet protocol address is a source Internet protocol address in the source Internet protocol address trust list, and the untrusted source Internet protocol address is a source Internet protocol address not in the source Internet protocol address trust list;
transmitting a transmission control protocol message of the trusted source Internet protocol address to the server;
judging whether the transmission rate of the synchronous sequence number message of the untrusted source Internet protocol address exceeds the synchronous sequence number message rate baseline or not by utilizing the synchronous sequence number message rate baseline, the transmission control protocol message length baseline and the transmission control protocol message rate baseline of the untrusted source Internet protocol address;
intercepting a transmission control protocol message of the untrusted source Internet protocol address when the transmission rate of a synchronous sequence number message of the untrusted source Internet protocol address exceeds a synchronous sequence number message rate baseline;
when the transmission rate of the synchronous sequence number message of the untrusted source Internet protocol address does not exceed the synchronous sequence number message rate baseline, judging whether a message with the message length exceeding the transmission control protocol message length baseline and the rate exceeding the transmission control protocol message rate baseline exists in the transmission control protocol message of the untrusted source Internet protocol address; if the message with the message length exceeding the transmission control protocol message length baseline and the rate exceeding the transmission control protocol message rate baseline exists, the transmission control protocol message of the non-trusted source Internet protocol address is intercepted, and if the message with the message length exceeding the transmission control protocol message length baseline and the rate exceeding the transmission control protocol message rate baseline does not exist, the transmission control protocol message of the non-trusted source Internet protocol address is sent to the server.
2. The method of claim 1, further comprising:
learning the transmission control protocol message of the server to obtain the source Internet protocol address trust list, the synchronous sequence number message rate baseline, the transmission control protocol message length baseline and the transmission control protocol message rate baseline;
and storing the source Internet protocol address trust list, the synchronous sequence number message rate baseline, the transmission control protocol message length baseline and the transmission control protocol message rate baseline.
3. The method of claim 2, wherein learning the tcp packet of the server to obtain the source ip address trust list comprises:
recording a source Internet protocol address of a transmission control protocol message sent to the server;
deleting the source Internet protocol address recorded when the server is attacked by the black hole challenge;
selecting source Internet protocol addresses which appear in at least M periods of continuous N periods to generate a source Internet protocol address trust list, wherein N and M are integers, and N is more than or equal to M and is more than 1.
4. The method of claim 2, wherein learning the tcp packet of the server to obtain the sync sequence number packet rate baseline, tcp packet length baseline, and tcp packet rate baseline comprises:
acquiring the synchronous sequence number message rate, the transmission control protocol message length and the transmission control protocol message rate in the transmission control protocol message of the server;
deleting the synchronous sequence number message rate, the transmission control protocol message length and the transmission control protocol message rate which are obtained when the server is attacked by the black hole challenge;
and periodically generating a synchronous sequence number message rate baseline, a transmission control protocol message length baseline and a transmission control protocol message rate baseline according to the obtained synchronous sequence number message rate, transmission control protocol message length and transmission control protocol message rate.
5. The method according to claim 4, wherein the periodically generating the SYNC sequence number packet rate baseline, the TCP packet length baseline, and the TCP packet rate baseline according to the obtained SYNC sequence number packet rate, TCP packet length, and TCP packet rate comprises:
calculating the average value and the standard deviation of the message rate of the synchronous sequence number in the period, adding X times of the standard deviation to the average value of the message rate of the synchronous sequence number to obtain a first numerical value, if the first numerical value is smaller than or equal to a first speed threshold value, adopting the first speed threshold value as a base line of the message rate of the synchronous sequence number, if the first numerical value is larger than the first speed threshold value, adopting the first numerical value as the base line of the message rate of the synchronous sequence number, and X is larger than 1;
calculating the average value and the standard deviation of the transmission control protocol message length in the period, and adding the average value of the transmission control protocol message length with Y times of the standard deviation to obtain a second numerical value, wherein if the second numerical value is less than or equal to a message length threshold, the message length threshold is adopted as the transmission control protocol message length baseline, if the second numerical value is greater than the message length threshold, the second numerical value is adopted as the transmission control protocol message length baseline, and Y is greater than 1;
calculating the average value and the standard deviation of the transmission control protocol message rate in the period, adding Z times of the standard deviation to the average value of the transmission control protocol message rate to obtain a third value, if the third value is smaller than or equal to a second rate threshold, adopting the second rate threshold as the transmission control protocol message rate baseline, if the third value is larger than the second rate threshold, adopting the third value as the transmission control protocol message rate baseline, and Z is larger than 1.
6. The method of claim 1, further comprising:
counting the number of newly-built connections, the connection concurrency and the number of abnormal connections of the server in unit time;
and when any one of the number of newly-built connections, the connection concurrency and the abnormal connection number of the server exceeds a corresponding safety threshold value, determining that the server is attacked by the black hole challenge.
7. An apparatus for transmission control protocol traffic filtering, the apparatus comprising:
the judging module is used for determining a trusted source Internet protocol address and an untrusted source Internet protocol address in a source Internet protocol address of a transmission control protocol message sent to the server based on a source Internet protocol address trust list of the server when the server is attacked by a black hole challenge, wherein the trusted source Internet protocol address is a source Internet protocol address in the source Internet protocol address trust list, and the untrusted source Internet protocol address is a source Internet protocol address not in the source Internet protocol address trust list;
the filtering module is used for sending the transmission control protocol message of the trust source Internet protocol address to the server; judging whether the transmission rate of the synchronous sequence number message of the untrusted source Internet protocol address exceeds the synchronous sequence number message rate baseline or not by utilizing the synchronous sequence number message rate baseline, the transmission control protocol message length baseline and the transmission control protocol message rate baseline of the untrusted source Internet protocol address; intercepting a transmission control protocol message of the untrusted source Internet protocol address when the transmission rate of a synchronous sequence number message of the untrusted source Internet protocol address exceeds a synchronous sequence number message rate baseline; when the transmission rate of the synchronous sequence number message of the untrusted source Internet protocol address does not exceed the synchronous sequence number message rate baseline, judging whether a message with the message length exceeding the transmission control protocol message length baseline and the rate exceeding the transmission control protocol message rate baseline exists in the transmission control protocol message of the untrusted source Internet protocol address; if the message with the message length exceeding the transmission control protocol message length baseline and the rate exceeding the transmission control protocol message rate baseline exists, the transmission control protocol message of the non-trusted source Internet protocol address is intercepted, and if the message with the message length exceeding the transmission control protocol message length baseline and the rate exceeding the transmission control protocol message rate baseline does not exist, the transmission control protocol message of the non-trusted source Internet protocol address is sent to the server.
8. A server, comprising a processor and a memory, wherein at least one instruction is stored in the memory and loaded and executed by the processor to implement the tcp traffic filtering method of any of claims 1 to 6.
9. A computer-readable storage medium having stored therein at least one instruction, which is loaded and executed by a processor, to implement the tcp traffic filtering method of any of claims 1 to 6.
CN201810685411.7A 2018-06-28 2018-06-28 Transmission control protocol flow filtering method, device, server and storage medium Active CN108810008B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810685411.7A CN108810008B (en) 2018-06-28 2018-06-28 Transmission control protocol flow filtering method, device, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810685411.7A CN108810008B (en) 2018-06-28 2018-06-28 Transmission control protocol flow filtering method, device, server and storage medium

Publications (2)

Publication Number Publication Date
CN108810008A CN108810008A (en) 2018-11-13
CN108810008B true CN108810008B (en) 2020-06-30

Family

ID=64071322

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810685411.7A Active CN108810008B (en) 2018-06-28 2018-06-28 Transmission control protocol flow filtering method, device, server and storage medium

Country Status (1)

Country Link
CN (1) CN108810008B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110661722B (en) * 2019-09-09 2022-07-22 新华三信息安全技术有限公司 Flow control method and device
CN113132331A (en) * 2019-12-31 2021-07-16 奇安信科技集团股份有限公司 Abnormal message detection method, device, electronic equipment and medium
CN113452647B (en) * 2020-03-24 2022-11-29 百度在线网络技术(北京)有限公司 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium
TWI768462B (en) * 2020-09-09 2022-06-21 中華電信股份有限公司 Method and electronic device for detecting abnormal connection behavior of terminal emulator

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136917A (en) * 2007-07-12 2008-03-05 中兴通讯股份有限公司 Transmission control protocol blocking module and soft switch method
CN101478387A (en) * 2008-12-31 2009-07-08 成都市华为赛门铁克科技有限公司 Defense method, apparatus and system for hyper text transmission protocol attack
CN101594269A (en) * 2009-06-29 2009-12-02 成都市华为赛门铁克科技有限公司 A kind of detection method of unusual connection, device and gateway device
CN103001958A (en) * 2012-11-27 2013-03-27 北京百度网讯科技有限公司 Exception transmission control protocol (TCP) message processing method and device
CN104113559A (en) * 2014-08-13 2014-10-22 浪潮电子信息产业股份有限公司 Method for resisting tcp full-link attack
CN105119942A (en) * 2015-09-16 2015-12-02 广东睿江科技有限公司 Flood attack detection method
CN105991632A (en) * 2015-04-20 2016-10-05 杭州迪普科技有限公司 Network security protection method and device
CN106357685A (en) * 2016-10-28 2017-01-25 北京神州绿盟信息安全科技股份有限公司 Method and device for defending distributed denial of service attack
CN106790310A (en) * 2017-03-31 2017-05-31 网宿科技股份有限公司 Distributed denial of service attack protects the method and system integrated with load balancing
CN107104929A (en) * 2016-02-23 2017-08-29 阿里巴巴集团控股有限公司 The methods, devices and systems of defending against network attacks

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130022089A (en) * 2011-08-24 2013-03-06 한국전자통신연구원 Method for releasing tcp connections against distributed denial of service attacks and apparatus for the same

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136917A (en) * 2007-07-12 2008-03-05 中兴通讯股份有限公司 Transmission control protocol blocking module and soft switch method
CN101478387A (en) * 2008-12-31 2009-07-08 成都市华为赛门铁克科技有限公司 Defense method, apparatus and system for hyper text transmission protocol attack
CN101594269A (en) * 2009-06-29 2009-12-02 成都市华为赛门铁克科技有限公司 A kind of detection method of unusual connection, device and gateway device
CN103001958A (en) * 2012-11-27 2013-03-27 北京百度网讯科技有限公司 Exception transmission control protocol (TCP) message processing method and device
CN104113559A (en) * 2014-08-13 2014-10-22 浪潮电子信息产业股份有限公司 Method for resisting tcp full-link attack
CN105991632A (en) * 2015-04-20 2016-10-05 杭州迪普科技有限公司 Network security protection method and device
CN105119942A (en) * 2015-09-16 2015-12-02 广东睿江科技有限公司 Flood attack detection method
CN107104929A (en) * 2016-02-23 2017-08-29 阿里巴巴集团控股有限公司 The methods, devices and systems of defending against network attacks
CN106357685A (en) * 2016-10-28 2017-01-25 北京神州绿盟信息安全科技股份有限公司 Method and device for defending distributed denial of service attack
CN106790310A (en) * 2017-03-31 2017-05-31 网宿科技股份有限公司 Distributed denial of service attack protects the method and system integrated with load balancing

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于异常特征的DDoS检测模型;廖鹏;《经济发展方式转变与自主创新——第十二届中国科学技术协会年会》;20101101;第1-6页 *

Also Published As

Publication number Publication date
CN108810008A (en) 2018-11-13

Similar Documents

Publication Publication Date Title
CN108040057B (en) Working method of SDN system suitable for guaranteeing network security and network communication quality
CN108810008B (en) Transmission control protocol flow filtering method, device, server and storage medium
CN108737447B (en) User datagram protocol flow filtering method, device, server and storage medium
CN101589595B (en) A containment mechanism for potentially contaminated end systems
US6973040B1 (en) Method of maintaining lists of network characteristics
JP6726331B2 (en) Systems and methods for regulating access requests
US9130978B2 (en) Systems and methods for detecting and preventing flooding attacks in a network environment
US20060191003A1 (en) Method of improving security performance in stateful inspection of TCP connections
EP1919162A2 (en) Identification of potential network threats using a distributed threshold random walk
US20050278779A1 (en) System and method for identifying the source of a denial-of-service attack
RU2636640C2 (en) Protection method of virtual private communication networks elements from ddos-attacks
US20120144487A1 (en) Routing apparatus and method for detecting server attack and network using the same
US9800593B2 (en) Controller for software defined networking and method of detecting attacker
CN110266650B (en) Identification method of Conpot industrial control honeypot
WO2011032321A1 (en) Data forwarding method, data processing method, system and device thereof
US11811820B2 (en) Malicious C and C channel to fixed IP detection
CN111212096A (en) Method, device, storage medium and computer for reducing IDC defense cost
Saurabh et al. ICMP based IP traceback with negligible overhead for highly distributed reflector attack using bloom filters
CN106487790B (en) Cleaning method and system for ACK FLOOD attacks
CN108667829B (en) Network attack protection method, device and storage medium
EP1739921A1 (en) Progressive wiretap
Wang et al. Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks
US7464409B2 (en) Perimeter-based defense against data flooding in a data communication network
CN102546587B (en) Prevent gateway system Session Resources by the method that maliciously exhausts and device
Beitollahi et al. A cooperative mechanism to defense against distributed denial of service attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant