CN108989275A - A kind of attack prevention method and device - Google Patents
A kind of attack prevention method and device Download PDFInfo
- Publication number
- CN108989275A CN108989275A CN201711122077.6A CN201711122077A CN108989275A CN 108989275 A CN108989275 A CN 108989275A CN 201711122077 A CN201711122077 A CN 201711122077A CN 108989275 A CN108989275 A CN 108989275A
- Authority
- CN
- China
- Prior art keywords
- message
- address
- source
- list
- address list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
The application provides a kind of attack prevention method and device, and this method is applied to intermediate equipment, this method comprises: receiving the first message, the purpose IP address of the first message is the IP address of the server of intermediate equipment protection;If in the first IP address list saved including the source IP address of the first message, the first message of forwarding is sent;If in the first IP address list and the second IP address list that save not including the source IP address of the first message, then the source IP address of the first message is added in the second IP address list, and send the second message, the source IP address of second message is the purpose IP address of the first message or the address of intermediate equipment, the purpose IP address of second message is the source IP address of the first message, and the destination slogan of the second message is one end slogan in preset range;If receiving the response message for being used to indicate the second message error for the second message, the source IP address of the first message is added in the first IP address list.
Description
Technical field
This application involves field of communication technology more particularly to a kind of attack prevention methods and device.
Background technique
With the development of network, network environment is increasingly sophisticated, the following network attack also increasingly frequently, especially with
DOS (Denial of Service, refusal service) attack (including DDOS (Distributed Deny of Service, distribution
The service of formula refusal) attack) it is most commonly seen.In dos attack, attacker uses mass data packet or lopsided message in a short time,
Response is constantly initiated the connection or requested to the network equipment, is caused the network equipment due to overload and cannot be handled legal message,
There is the case where service exception or even equipment paralysis.
A kind of common method of prevention dos attack now is: Network Security Device detects the report for being sent to specific purpose address
Literary rate abandons the message for being sent to the specific purpose address when rate is more than the threshold value of setting, when rate is lower than above-mentioned setting
Threshold value when, allow message be sent to the specific purpose address.
This method has the disadvantage that the starting dos attack prevention when normal message and attack message adulterate together
Afterwards, attack message can be not only abandoned, also normal message can also be abandoned;If normal message is repeatedly dropped, regular traffic
It will be affected.It can be seen that this method can not effectively reduce dos attack influence caused by the business of the network equipment.
Summary of the invention
In view of this, the application provides a kind of attack prevention method and device, to mix in normal message and attack message
It is miscellaneous together when, can identify normal message and attack message, be lost so that normal message will not repeatedly be treated as attack message
It abandons.
Specifically, the application is achieved by the following technical solution:
For the application in a first aspect, providing a kind of attack prevention method, the method is applied to intermediate equipment, the method
Include:
Receive the first message, the purpose IP address of first message is the IP of the server of intermediate equipment protection
Location;
If including the source IP address of first message in the first IP address list saved, forwarding described first is sent
Message;
If in the first IP address list and the second IP address list that save not including the source IP of first message
The source IP address of first message is then added in second IP address list by location, and sends the second message, and described the
The source IP address of two messages be first message purpose IP address or the intermediate equipment address, second message
Purpose IP address is the source IP address of first message, and the destination slogan of second message is one end in preset range
Slogan;
It, will be described if receiving the response message for being used to indicate second message error for second message
The source IP address of first message is added in first IP address list.
The application second aspect, provides a kind of attack-defending device, and described device can be applied to intermediate equipment.It is described
Device has the function of the realization above method, and the function can also be executed corresponding by hardware realization by hardware
Software realization.The hardware or software include one or more modules corresponding with above-mentioned function or unit.
In a kind of implementation, the apparatus may include:
Transmit-Receive Unit, for receiving the first message, the purpose IP address of first message is intermediate equipment protection
Server IP address;
Attack-defending unit, if for the source IP address including first message in the first IP address list of preservation,
It then indicates that the Transmit-Receive Unit is sent and forwards first message;If the first IP address list and the second IP address list that save
In do not include first message source IP address, then with being added to the 2nd IP by the source IP address of first message
In the list of location, and indicate that the Transmit-Receive Unit sends the second message, the source IP address of second message is first message
Purpose IP address or the intermediate equipment address, the purpose IP address of second message is the source IP of first message
Address, the destination slogan of second message are one end slogan in preset range;It is directed to if the Transmit-Receive Unit receives
The response message for being used to indicate second message error of second message, then add the source IP address of first message
It is added in first IP address list.
It is described logical the apparatus may include communication interface, processor, memory and bus in another implementation
Believe and is connected with each other between interface, the processor and the memory by bus;The processor is by reading the storage
The logical order stored in device executes attack prevention method described in the application first aspect.
For the application when taking precautions against dos attack, intermediate equipment can the first IP address list based on record and the 2nd IP
Location list distinguishes normal message and attack message.Based on this, in the first IP address list and the second IP address list not
When source IP address including message to be forwarded, can not determine whether the message is attack message, then first by the source IP of the message
Location is added in the second IP address list, and is the end in non-normal range by sending destination slogan to the source IP address
The message of slogan judges whether source IP address is attack source, if it is not, illustrate that the message is normal message, then by the source IP
Address is added in the first IP address list;If so, illustrating that the message is attack message, then the source IP address is not added to
In first IP address list.In this way when receiving the message of the source IP address again, if intermediate equipment is in the first IP address
The source IP address is found in list, then directly forwards the message, if the source IP address is not found in the first IP address list, but
It is to find the source IP address in the second IP address list, then directly abandons the message.The above process not only can effectively be prevented
Only dos attack, and intermediate equipment can also therefrom distinguish normal message and attack message.
Detailed description of the invention
Fig. 1 is method flow diagram provided by the present application;
Fig. 2 is the treatment process schematic diagram of normal message provided by the present application;
Fig. 3 is the treatment process schematic diagram of attack message provided by the present application;
Fig. 4 is apparatus function module frame chart provided by the present application;
Fig. 5 is the hardware structure diagram of Fig. 4 shown device provided by the present application.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended
The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application.
It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority
Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps
It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from
In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determination ".
In this application, the defect of normal message and attack message can not be identified by compensating for existing dos attack precautionary technology,
When normal message and attack message are sent to same destination simultaneously, intermediate equipment can tell normal message and attack report
Text abandons attack message to normally be forwarded to normal message.
Here intermediate equipment refers to the equipment between source device and purpose equipment, such as can be network insertion and set
Standby (such as hub, interchanger), internetwork device (such as router), Network Security Device (such as firewall, attack-prevention-device).
For the ability for enabling intermediate equipment have identification normal message and attack message, the application increases for intermediate equipment
Following two functions:
First, it is right in message source IP (Internet Protocol, Internet protocol) address that minute book equipment detected
The address of real equipment namely the source IP address of normal message are answered, the application can record this kind of by the first IP address list
Source IP address.The equipment of real equipment instruction necessary being herein, may include: physical equipment and virtual unit.
Second, the source IP address of message source IP address namely normal message and attack message that minute book equipment detected,
The application can record the source IP address of the message detected by the second IP address list, or can arrange in the first IP address
The source IP address that normal message is recorded in table records the source IP address and unknown message of attack message in the second address list
Source IP address.
As for intermediate equipment how the first IP address list based on above-mentioned record and the second IP address list differentiate it is normal
Message and attack message will be illustrated below by method flow shown in FIG. 1.Referring to Fig. 1, this method be can comprise the following steps that
Step 101: receiving the first message, the purpose IP address of the first message is the IP of the server of intermediate equipment protection
Location.
Here the first message can be TCP (Transmission Control Protocol, transmission control protocol)
Message, UDP (User Datagram Protocol, User Datagram Protocol) message or ICMP (Internet Control
Message Protocol, Internet Control Message Protocol) message etc..In practical application, UDP Flood attack is relatively common
A kind of dos attack, it can use protocol stack and sends a large amount of half-connection message to server, these half-connections can consume clothes
The business a large amount of resource of device.
Step 102: if including the source IP address of the first message in the first IP address list saved, sending forwarding first
Message.
When intermediate equipment finds the source IP address of the first message from the first IP address list, before showing intermediate equipment
It had detected the source IP address and had confirmed that the source IP address is the address of necessary being, so being directly forwarded to message.
When intermediate equipment does not find the source IP address of the first message from the first IP address list, at this time there are two types of possibility
Situation, one is do not detected the source IP address before intermediate equipment (or once with detecting the source IP but testing result aging
Delete), another kind had detected the source IP address and had confirmed that the source IP address does not correspond to real equipment before being intermediate equipment.Extremely
Which kind of situation belonged in the first current message, then needs to determine in conjunction with the second IP address list, concrete condition is as follows:
Step 103: if in the first IP address list and the second IP address list that save not including the source of the first message
The source IP address of first message is then added in the second IP address list by IP address, and sends the second message, the second message
Source IP address is the purpose IP address of the first message or the address of intermediate equipment, and the purpose IP address of the second message is the first message
Source IP address, the destination slogan of the second message is one end slogan in preset range.
When intermediate equipment with not finding the source IP of the first message from the first IP address list and the second IP address list
When location, shows not detect before intermediate equipment the source IP address and (or once checked the source IP address but testing result aging
Delete), so the source IP address of the first message is first added in the second IP address list by intermediate equipment here, next go again
Detect whether the source IP address corresponds to real equipment.As to how processing the first message in this case, intermediate equipment can be with
The first message is abandoned immediately, and the first message can also be transformed into the second message and be sent to the source IP address of the first message to detect
Whether the source IP address corresponds to real equipment, or temporarily saves the first message, and the detection result of the second message is waited to determine again
It is the first message of the first message of forwarding or discarding.
Step 104: if the response message for being used to indicate the second message error for the second message is received, by first
The source IP address of message is added in the first IP address list.
In one embodiment, above-mentioned second message can be the very big message of destination slogan, for example, second
The destination slogan of message can be one end slogan in 32768 to 65535 (including 32768 and 65535).If the first message
Source IP address correspond to a real equipment, then when the equipment of the necessary being receive a port number be non-well-known port
And the unreachable message in the port ICMP can be returned when the very big message of port numbers;If the source IP address of the first message does not correspond to one
A real equipment, then the equipment of source IP address mark itself is just not present, during which not will receive naturally
Between the second message for issuing of equipment, the also natural unreachable message in the port ICMP that will not respond.Based on this, if intermediate equipment receives
The unreachable message in the port ICMP, then can determine the corresponding real equipment of the source IP address of the first message, and the first message is to close
Method message, so the source IP address of the first message is added in the first IP address list.If intermediate equipment does not receive always
The source IP address of first message then will not be added to the first IP address list always by the unreachable message in the port ICMP.
It does not include the first message as being mentioned in step 103 in the first IP address list and the second IP address list
The source IP address of the first message can be added in the second IP address list in the case where source IP address, here for being added to
The source IP address of the first message in second IP address list, can there is following two processing mode:
The first, if subsequent intermediate equipment receives within a preset time is used to indicate the second report for the second message
The response message of literary mistake, then can delete the source IP address of the first message recorded in the second IP address list;, whereas if
Intermediate equipment does not receive the response message for being used to indicate the second message error within a preset time, then with can retaining the 2nd IP
The source IP address of the first message recorded in the list of location.It is final in the second IP address list only to record attack under this mode
The source IP address of message is not required to the source IP address of record normal message, can so save the memory source of intermediate equipment.Certainly
In order to realize that the second IP address list only records the purpose of the source IP address of attack message, intermediate equipment is true in step 103
When not including the source IP address of the first message in fixed first IP address list and the second IP address, the second message is first sent, such as
Fruit receives the response message for the second message within a preset time, then the source IP address of the first message is not added to the 2nd IP
In address list;If not receiving the response message for the second message within a preset time, by the source IP of the first message
Location is added in the second IP address list.
Second, no matter subsequent second message error of being used to indicate whether received for the second message of intermediate equipment
Response message retains the source IP address of the first message in the second IP address list.Under this mode, the second IP address list
Middle preservation be normal message and attack message source IP address, be advantageous in that relative to first way, do not need to start
Whether timer judgement receives the response message that the source IP address of the first message returns within a preset time, can save centre and set
Standby process resource.
In addition to the situation described in the step 103, about in the first IP address list and the second IP address list whether include
There is likely to be following situations for the source IP address of first message: not including the source IP of the first message in the first IP address list
Location, and including the source IP address of the first message in the second IP address list;Such case shows to have detected before intermediate equipment
The source IP address of first message, since the source IP address is recorded in the second IP address list but is not recorded in the first IP
In address list, it may thereby determine that the source IP address of the first message does not correspond to real equipment, intermediate equipment can be direct at this time
Abandon the first message.
By the above process, intermediate equipment by the way that the source IP address of normal message is added in the first IP address list,
In this way when the source IP address of normal message sends message again, the source IP address can be found in the first IP address list,
To directly forward the message;By the way that the source IP address of attack message to be only added in the second IP address list, in this way when attacking
When hitting the source IP address of message and sending message again, intermediate equipment may only be in the second IP address list with finding the source IP
Location, to directly abandon the message.The above process can not only be effectively prevented dos attack, but also intermediate equipment can also be from
In distinguish normal message and attack message.
And for the efficiency for dos attack of improving the precaution and resource consumption is reduced, intermediate equipment can be for some specific
IP address carries out dos attack prevention, for example intermediate equipment can be for destination address for this equipment server ip to be protected
The message of location executes dos attack prevention.
Alternatively, further, intermediate equipment is confirming that the purpose IP address of received message is the clothes of this equipment protection
It is engaged in after the IP address of device, can further judge the destination address received in the preset time before receiving the first message
Whether the quantity for the message (including normal message and attack message) of the IP address of the server to be protected is more than setting
Threshold value, if so, dos attack prevention is just executed, specifically, intermediate equipment can receive the first report in satisfaction in step 102
The destination address received in preset time before text is that the quantity of the message of the purpose IP address of the first message is more than setting
When including this condition of the source IP address of the first message in threshold value and the first IP list saved, the first message of forwarding is sent;Together
Reason, in step 103, intermediate equipment can be the meeting the destination address that receive in the preset time before receiving the first message
The quantity of the message of the purpose IP address of one message is more than the threshold value of setting and the first IP address list and the second IP address list
In when not including this condition of the source IP address of the first message, the source IP address of the first message is added to the second IP address column
In table and send the second message;Similarly, in step 104, intermediate equipment can meet receive the first message before it is default when
The quantity of the message of purpose IP address of the interior destination address received for the first message is more than the threshold value and the first IP set
Do not include the source IP address of the first message in the list of location, and in the second IP address list including the first message source IP address this
When condition, the first message is abandoned.
Correspondingly, if the purpose IP address that receives in the preset time before receiving the first message of intermediate equipment is the
The quantity of the message of the purpose IP address of one message is lower than the threshold value of setting, then intermediate equipment can directly transmit the first report of forwarding
Text.
It can also be to the first IP address for the timeliness for being further ensured that dos attack testing result as one embodiment
List and the second IP address list carry out aging.Can be there are many aging means, such as can artificially be arranged for the first IP address
The source IP address configuration ageing time recorded in table and the second IP address list;In another example can in the first IP address list and
Increase a static fields in second IP address list, receives what each source IP address in list was sent in each period for counting
The number of message, if the corresponding statistics number of some source IP address is 0 in some period, by the source IP address from the first IP
It is deleted in address list and the second IP address list, if not being 0, continues to retain the source IP address simultaneously by the source IP address
Corresponding statistics number is reset.
There can be following two organizational form as the first IP address list and the second IP address list:
In a kind of mode, intermediate equipment can safeguard one for the IP address of the server of each equipment protection respectively
Open the first IP address list and second IP address list.Under this mode, intermediate equipment can determine some server
When IP address meets dos attack testing conditions, just with opening the first IP address list and the 2nd IP for this address creation one
Location list, and, when the IP address for determining some server no longer meets dos attack testing conditions, just delete and this ground
Associated first IP address list in location and the second IP address list.Correspondingly, in step 102 to step 104, intermediate equipment can be with
With associated first IP address list of the purpose IP address of the first message and the second IP address list, the first message is searched
Source IP address.
In a further mode of operation, intermediate equipment can also be for the IP address unification of all equipment servers to be protected
Safeguard first IP address list and second IP address list.Under this mode, during this two tables can remain stored in
Between in equipment (or third party device);It is intermediate when the IP address for determining some server no longer meets dos attack testing conditions
Equipment can empty the content of this two tables.Correspondingly, in step 102 to step 104, intermediate equipment can saved uniquely
In first IP address list and the second IP address list, the source IP address of the first message is searched.
By process shown in FIG. 1, normal message and attack message can be distinguished and be handled respectively.In order to more
It is clear, separately below by the treatment process example of the treatment process example of normal message and attack message, to describe the application
Technical solution.
Fig. 2 show a kind for the treatment of process for normal message, and wherein client is the requesting party of a necessary being,
The dos attack prevention for server-side address is had been turned in intermediate equipment, the specific steps are as follows:
1) intermediate equipment receives the message that client is sent to server-side;
2) intermediate equipment check the first IP address list in whether include client address, inspection result be do not include;
3) intermediate equipment check the second IP address list in whether include client address, inspection result be do not include;
4) address of client is added in the second IP address list by intermediate equipment;
5) intermediate equipment sends detection messages to client, the destination slogans of detection messages between 32768 and 65535 it
Between;
6) client returns to the unreachable message in the port ICMP to intermediate equipment;
7) address of client is added in the first IP address list by intermediate equipment;
8) intermediate equipment is received again by the message that client is sent to the server-side;
9) intermediate equipment check the first IP address list in whether include client address, inspection result is to include;
10) intermediate equipment forwards the packet to server-side.
Fig. 3 show a kind for the treatment of process for attack message, and wherein client is the ground being not present in a network
Location has been turned on the dos attack prevention for server-side address in intermediate equipment, the specific steps are as follows:
1) intermediate equipment receives the message that client is sent to server-side;
2) intermediate equipment check the first IP address list in whether include the client address, inspection result be do not wrap
It includes;
3) intermediate equipment check the second IP address list in whether include client address, inspection result be do not include;
4) address of client is added in the second IP address list by intermediate equipment;
5) intermediate equipment sends detection messages to client, the destination slogans of detection messages between 32768 and 65535 it
Between;
It because of client and is not present, so it will not return to the unreachable message in the port ICMP, intermediate equipment will not will be objective
The address at family end is added in the first IP address list.
6) intermediate equipment is received again by the message that client is sent to the server-side;
7) intermediate equipment check the first IP address list in whether include client address, inspection result be do not include;
8) intermediate equipment check the second IP address list in whether include client address, inspection result is to include;
9) intermediate equipment abandons the message.
In conclusion the application is when taking precautions against dos attack, intermediate equipment is based on the first IP address list of record and second
IP address list can not only be effectively prevented dos attack, but also can therefrom distinguish normal message and attack message.
Method provided by the present application is described above.Device provided by the present application is described below.
It referring to fig. 4, is a kind of attack-defending device provided by the present application, described device is applied to intermediate equipment, the dress
Set may include Transmit-Receive Unit 401 and attack-defending unit 402, in which:
Transmit-Receive Unit 401, for receiving the first message, the purpose IP address of first message is intermediate equipment guarantor
The IP address of the server of shield.
Attack-defending unit 402, if for the source IP including first message in the first IP address list of preservation
Location then indicates that the Transmit-Receive Unit 401 is sent and forwards first message;If the first IP address list and the 2nd IP that save
Do not include the source IP address of first message in the list of location, then the source IP address of first message is added to described
In two IP address lists, and indicate that the Transmit-Receive Unit 401 sends the second message, the source IP address of second message is described
The address of the purpose IP address of first message or the intermediate equipment, the purpose IP address of second message are first report
The source IP address of text, the destination slogan of second message are one end slogan in preset range;If the Transmit-Receive Unit 401
The response message for being used to indicate second message error for second message is received, then by first message
Source IP address is added in first IP address list.
In a kind of wherein embodiment, the attack-defending unit 402, if can be also used for the first IP address column
Do not include the source IP address of first message in table, and includes the source IP of first message in second IP address list
Address then abandons first message.
In a kind of wherein embodiment, the destination slogan of second message is specially one in 32768 to 65535
Port numbers;The response message is the unreachable message in the port ICMP.
In a kind of wherein embodiment, the attack-defending unit 402 exists if being specifically used for the Transmit-Receive Unit 401
The purpose IP address received in preset time before receiving first message is the server of intermediate equipment protection
The quantity of message of IP address be more than in the threshold value of setting and the first IP address list for saving include first message
Source IP address then indicates that the Transmit-Receive Unit 401 is sent and forwards first message;If the Transmit-Receive Unit 401 is receiving
The IP for the server that the purpose IP address received in preset time before first message is protected for the intermediate equipment
The quantity of the message of location be more than setting threshold value and save the first IP address list and the second IP address list in do not include
The source IP address of first message is then added in second IP address list by the source IP address of first message,
And indicate that the Transmit-Receive Unit 401 sends the second message;If the Transmit-Receive Unit 401 is before receiving first message
The purpose IP address received in preset time is that the quantity of the message of the IP address of the server of intermediate equipment protection is more than
It does not include the source IP address of first message in the threshold value of setting and first IP address list, and second IP address
Include the source IP address of first message in list, then abandons first message.
In a kind of wherein embodiment, the attack-defending unit 402, if be also used to receive first message it
The purpose IP address received in preceding preset time is the quantity of the message of the IP address of the server of intermediate equipment protection
Lower than the threshold value of setting, then indicates that the Transmit-Receive Unit 401 is sent and forward a message.
It should be noted that being schematical, only a kind of logic function to the division of unit in the embodiment of the present invention
It divides, there may be another division manner in actual implementation.Each functional unit in embodiments herein can integrate
In one processing unit, it is also possible to each unit and physically exists alone, one can also be integrated in two or more units
In a unit.Above-mentioned integrated unit both can take the form of hardware realization, can also be in the form of software functional units
It realizes.
So far, the functional module description of Fig. 4 shown device is completed.
Accordingly, the application also provides a kind of hardware structure diagram of intermediate equipment, which includes: communication interface
501, processor 502, memory 503 and bus 504;Wherein, communication interface 501, processor 502, memory 503 pass through bus
504 complete mutual communication.
Wherein, communication interface 501, for sending and receiving message.Processor 502 can be a CPU, memory 503
It can be nonvolatile memory, and be stored with attack-defending logical order in memory 503, processor 502 can execute
The attack-defending logical order stored in memory 503, to realize method shown in above-mentioned Fig. 1.
So far, the hardware configuration description of intermediate equipment shown in Fig. 5 is completed.
The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application
Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.
Claims (10)
1. a kind of attack prevention method, which is characterized in that the method is applied to intermediate equipment, which comprises
The first message is received, the purpose IP address of first message is the IP address of the server of intermediate equipment protection;
If in the first IP address list saved including the source IP address of first message, forwarding first report is sent
Text;
If in the first IP address list and the second IP address list that save not including the source IP address of first message,
The source IP address of first message is added in second IP address list, and sends the second message, second report
The source IP address of text is the purpose IP address of first message or the address of the intermediate equipment, the purpose of second message
IP address is the source IP address of first message, and the destination slogan of second message is the Single port in preset range
Number;
If the response message for being used to indicate second message error for second message is received, by described first
The source IP address of message is added in first IP address list.
2. the method as described in claim 1, which is characterized in that the method also includes:
If not including the source IP address of first message in first IP address list, and in second IP address list
Source IP address including first message then abandons first message.
3. the method as described in claim 1, which is characterized in that the destination slogan of second message be specially 32768 to
One end slogan in 65535;The response message is the unreachable message in the port ICMP.
4. method according to claim 2, which is characterized in that if in the first IP address list saved including first report
The source IP address of text then sends forwarding first message:
If the purpose IP address received in the preset time before receiving first message is intermediate equipment protection
The quantity of the message of the IP address of server is more than in the first IP address list of the threshold value of setting and preservation including described first
The source IP address of message then sends forwarding first message;
If in the first IP address list and the second IP address list that save not including the source IP address of first message,
The source IP address of first message is added in second IP address list, and sends the second message:
If the purpose IP address received in the preset time before receiving first message is intermediate equipment protection
The quantity of the message of the IP address of server is more than the threshold value of setting and the first IP address list saved and the second IP address column
Do not include the source IP address of first message in table, then the source IP address of first message is added to the 2nd IP
In address list, and send the second message;
If not including the source IP address of first message in first IP address list, and in second IP address list
Source IP address including first message then abandons first message:
If the purpose IP address received in the preset time before receiving first message is intermediate equipment protection
It does not include described first that the quantity of the message of the IP address of server, which is more than in the threshold value of setting and first IP address list,
The source IP address of message, and include the source IP address of first message in second IP address list, then abandon described the
One message.
5. method as claimed in claim 4, which is characterized in that the method also includes:
If the purpose IP address received in the preset time before receiving first message is intermediate equipment protection
The quantity of the message of the IP address of server then forwards first message lower than the threshold value of setting.
6. a kind of attack-defending device, which is characterized in that described device is applied to intermediate equipment, and described device includes:
Transmit-Receive Unit, for receiving the first message, the purpose IP address of first message is the clothes of intermediate equipment protection
The IP address of business device;
Attack-defending unit, if referring to for the source IP address including first message in the first IP address list of preservation
Show that the Transmit-Receive Unit is sent and forwards first message;If in the first IP address list and the second IP address list that save
Do not include the source IP address of first message, then the source IP address of first message is added to second IP address and arranged
In table, and indicate that the Transmit-Receive Unit sends the second message, the source IP address of second message is the mesh of first message
IP address or the intermediate equipment address, the purpose IP address of second message is the source IP of first message
Location, the destination slogan of second message are one end slogan in preset range;If the Transmit-Receive Unit is received for institute
The response message for being used to indicate second message error of the second message is stated, then is added the source IP address of first message
Into first IP address list.
7. device as claimed in claim 6, which is characterized in that
The attack-defending unit, if be also used in first IP address list do not include first message source IP
Location, and first message is then abandoned including the source IP address of first message in second IP address list.
8. device as claimed in claim 6, which is characterized in that the destination slogan of second message be specially 32768 to
One end slogan in 65535;The response message is the unreachable message in the port ICMP.
9. device as claimed in claim 7, which is characterized in that
The attack-defending unit, if the preset time specifically for the Transmit-Receive Unit before receiving first message
The purpose IP address inside received is that the quantity of the message of the IP address of the server of intermediate equipment protection is more than the threshold of setting
Include the source IP address of first message in value and the first IP address list saved, then indicates that the Transmit-Receive Unit is sent and turn
Send out the first message described;If the destination IP that the Transmit-Receive Unit receives in the preset time before receiving first message
Address is that the quantity of the message of the IP address of the server of intermediate equipment protection is more than the first of the threshold value set and preservation
It does not include the source IP address of first message in IP address list and the second IP address list, then by first message
Source IP address is added in second IP address list, and indicates that the Transmit-Receive Unit sends the second message;If the transmitting-receiving
The purpose IP address that unit receives in the preset time before receiving first message is intermediate equipment protection
It does not include described first that the quantity of the message of the IP address of server, which is more than in the threshold value of setting and first IP address list,
The source IP address of message, and include the source IP address of first message in second IP address list, then abandon described the
One message.
10. device as claimed in claim 6, which is characterized in that
The attack-defending unit, if the destination IP received in preset time before being also used to receive first message
Location is the quantity of the message of the IP address of the server of intermediate equipment protection lower than the threshold value of setting, then forwards described first
Message.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711122077.6A CN108989275A (en) | 2017-11-14 | 2017-11-14 | A kind of attack prevention method and device |
PCT/CN2018/115132 WO2019096104A1 (en) | 2017-11-14 | 2018-11-13 | Attack prevention |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711122077.6A CN108989275A (en) | 2017-11-14 | 2017-11-14 | A kind of attack prevention method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108989275A true CN108989275A (en) | 2018-12-11 |
Family
ID=64542228
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711122077.6A Pending CN108989275A (en) | 2017-11-14 | 2017-11-14 | A kind of attack prevention method and device |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN108989275A (en) |
WO (1) | WO2019096104A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111385248A (en) * | 2018-12-28 | 2020-07-07 | 华为技术有限公司 | Attack defense method and attack defense device |
CN112953895A (en) * | 2021-01-26 | 2021-06-11 | 深信服科技股份有限公司 | Attack behavior detection method, device, equipment and readable storage medium |
CN113810398A (en) * | 2021-09-09 | 2021-12-17 | 新华三信息安全技术有限公司 | Attack protection method, device, equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050111367A1 (en) * | 2003-11-26 | 2005-05-26 | Hung-Hsiang Jonathan Chao | Distributed architecture for statistical overload control against distributed denial of service attacks |
CN1954545A (en) * | 2003-03-03 | 2007-04-25 | 思科技术公司 | Using TCP to authenticate IP source addresses |
CN102231748A (en) * | 2011-08-02 | 2011-11-02 | 杭州迪普科技有限公司 | Method and device for verifying client |
CN102291441A (en) * | 2011-08-02 | 2011-12-21 | 杭州迪普科技有限公司 | Method and security agent device for protecting against attack of synchronize (SYN) Flood |
CN105991632A (en) * | 2015-04-20 | 2016-10-05 | 杭州迪普科技有限公司 | Network security protection method and device |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9473529B2 (en) * | 2006-11-08 | 2016-10-18 | Verizon Patent And Licensing Inc. | Prevention of denial of service (DoS) attacks on session initiation protocol (SIP)-based systems using method vulnerability filtering |
CN101741855B (en) * | 2009-12-16 | 2012-11-28 | 中兴通讯股份有限公司 | Maintenance method of address resolution protocol cache list and network equipment |
CN105430011B (en) * | 2015-12-25 | 2019-02-26 | 杭州朗和科技有限公司 | A kind of method and apparatus detecting distributed denial of service attack |
-
2017
- 2017-11-14 CN CN201711122077.6A patent/CN108989275A/en active Pending
-
2018
- 2018-11-13 WO PCT/CN2018/115132 patent/WO2019096104A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1954545A (en) * | 2003-03-03 | 2007-04-25 | 思科技术公司 | Using TCP to authenticate IP source addresses |
US20050111367A1 (en) * | 2003-11-26 | 2005-05-26 | Hung-Hsiang Jonathan Chao | Distributed architecture for statistical overload control against distributed denial of service attacks |
CN102231748A (en) * | 2011-08-02 | 2011-11-02 | 杭州迪普科技有限公司 | Method and device for verifying client |
CN102291441A (en) * | 2011-08-02 | 2011-12-21 | 杭州迪普科技有限公司 | Method and security agent device for protecting against attack of synchronize (SYN) Flood |
CN105991632A (en) * | 2015-04-20 | 2016-10-05 | 杭州迪普科技有限公司 | Network security protection method and device |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111385248A (en) * | 2018-12-28 | 2020-07-07 | 华为技术有限公司 | Attack defense method and attack defense device |
CN111385248B (en) * | 2018-12-28 | 2021-07-09 | 华为技术有限公司 | Attack defense method and attack defense device |
CN112953895A (en) * | 2021-01-26 | 2021-06-11 | 深信服科技股份有限公司 | Attack behavior detection method, device, equipment and readable storage medium |
CN113810398A (en) * | 2021-09-09 | 2021-12-17 | 新华三信息安全技术有限公司 | Attack protection method, device, equipment and storage medium |
CN113810398B (en) * | 2021-09-09 | 2023-09-26 | 新华三信息安全技术有限公司 | Attack protection method, device, equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
WO2019096104A1 (en) | 2019-05-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021008028A1 (en) | Network attack source tracing and protection method, electronic device and computer storage medium | |
US7552478B2 (en) | Network unauthorized access preventing system and network unauthorized access preventing apparatus | |
US9954873B2 (en) | Mobile device-based intrusion prevention system | |
US10587647B1 (en) | Technique for malware detection capability comparison of network security devices | |
US8122494B2 (en) | Apparatus and method of securing network | |
US8677473B2 (en) | Network intrusion protection | |
JP4545647B2 (en) | Attack detection / protection system | |
US7832009B2 (en) | Techniques for preventing attacks on computer systems and networks | |
KR101010465B1 (en) | Network security elements using endpoint resources | |
AU2004289001B2 (en) | Method and system for addressing intrusion attacks on a computer system | |
US10135785B2 (en) | Network security system to intercept inline domain name system requests | |
CN103609089B (en) | A kind of preventing is attached to the method and device of Denial of Service attack on the main frame of subnet | |
JP4768020B2 (en) | Method of defending against DoS attack by target victim self-identification and control in IP network | |
CN102137111A (en) | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server | |
CN104468554A (en) | Attack detection method and device based on IP and HOST | |
KR20080028381A (en) | Method for defending against denial of service attacks in ip networks by target victim self-identification and control | |
CN108989275A (en) | A kind of attack prevention method and device | |
US20040022253A1 (en) | Method and apparatus for inter-layer binding inspection | |
JP4602158B2 (en) | Server equipment protection system | |
CN110213204A (en) | Attack guarding method and device, equipment and readable storage medium storing program for executing | |
CN107454065A (en) | A kind of means of defence and device of UDP Flood attacks | |
CN105939321A (en) | DNS (Domain Name System) attack detection method and device | |
CN107948195A (en) | A kind of method and device of protection Modbus attacks | |
CN112738110A (en) | Bypass blocking method and device, electronic equipment and storage medium | |
CN105959248B (en) | The method and device of message access control |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181211 |
|
RJ01 | Rejection of invention patent application after publication |