CN108989275A - A kind of attack prevention method and device - Google Patents

A kind of attack prevention method and device Download PDF

Info

Publication number
CN108989275A
CN108989275A CN201711122077.6A CN201711122077A CN108989275A CN 108989275 A CN108989275 A CN 108989275A CN 201711122077 A CN201711122077 A CN 201711122077A CN 108989275 A CN108989275 A CN 108989275A
Authority
CN
China
Prior art keywords
message
address
source
list
address list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711122077.6A
Other languages
Chinese (zh)
Inventor
王国利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201711122077.6A priority Critical patent/CN108989275A/en
Priority to PCT/CN2018/115132 priority patent/WO2019096104A1/en
Publication of CN108989275A publication Critical patent/CN108989275A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Abstract

The application provides a kind of attack prevention method and device, and this method is applied to intermediate equipment, this method comprises: receiving the first message, the purpose IP address of the first message is the IP address of the server of intermediate equipment protection;If in the first IP address list saved including the source IP address of the first message, the first message of forwarding is sent;If in the first IP address list and the second IP address list that save not including the source IP address of the first message, then the source IP address of the first message is added in the second IP address list, and send the second message, the source IP address of second message is the purpose IP address of the first message or the address of intermediate equipment, the purpose IP address of second message is the source IP address of the first message, and the destination slogan of the second message is one end slogan in preset range;If receiving the response message for being used to indicate the second message error for the second message, the source IP address of the first message is added in the first IP address list.

Description

A kind of attack prevention method and device
Technical field
This application involves field of communication technology more particularly to a kind of attack prevention methods and device.
Background technique
With the development of network, network environment is increasingly sophisticated, the following network attack also increasingly frequently, especially with DOS (Denial of Service, refusal service) attack (including DDOS (Distributed Deny of Service, distribution The service of formula refusal) attack) it is most commonly seen.In dos attack, attacker uses mass data packet or lopsided message in a short time, Response is constantly initiated the connection or requested to the network equipment, is caused the network equipment due to overload and cannot be handled legal message, There is the case where service exception or even equipment paralysis.
A kind of common method of prevention dos attack now is: Network Security Device detects the report for being sent to specific purpose address Literary rate abandons the message for being sent to the specific purpose address when rate is more than the threshold value of setting, when rate is lower than above-mentioned setting Threshold value when, allow message be sent to the specific purpose address.
This method has the disadvantage that the starting dos attack prevention when normal message and attack message adulterate together Afterwards, attack message can be not only abandoned, also normal message can also be abandoned;If normal message is repeatedly dropped, regular traffic It will be affected.It can be seen that this method can not effectively reduce dos attack influence caused by the business of the network equipment.
Summary of the invention
In view of this, the application provides a kind of attack prevention method and device, to mix in normal message and attack message It is miscellaneous together when, can identify normal message and attack message, be lost so that normal message will not repeatedly be treated as attack message It abandons.
Specifically, the application is achieved by the following technical solution:
For the application in a first aspect, providing a kind of attack prevention method, the method is applied to intermediate equipment, the method Include:
Receive the first message, the purpose IP address of first message is the IP of the server of intermediate equipment protection Location;
If including the source IP address of first message in the first IP address list saved, forwarding described first is sent Message;
If in the first IP address list and the second IP address list that save not including the source IP of first message The source IP address of first message is then added in second IP address list by location, and sends the second message, and described the The source IP address of two messages be first message purpose IP address or the intermediate equipment address, second message Purpose IP address is the source IP address of first message, and the destination slogan of second message is one end in preset range Slogan;
It, will be described if receiving the response message for being used to indicate second message error for second message The source IP address of first message is added in first IP address list.
The application second aspect, provides a kind of attack-defending device, and described device can be applied to intermediate equipment.It is described Device has the function of the realization above method, and the function can also be executed corresponding by hardware realization by hardware Software realization.The hardware or software include one or more modules corresponding with above-mentioned function or unit.
In a kind of implementation, the apparatus may include:
Transmit-Receive Unit, for receiving the first message, the purpose IP address of first message is intermediate equipment protection Server IP address;
Attack-defending unit, if for the source IP address including first message in the first IP address list of preservation, It then indicates that the Transmit-Receive Unit is sent and forwards first message;If the first IP address list and the second IP address list that save In do not include first message source IP address, then with being added to the 2nd IP by the source IP address of first message In the list of location, and indicate that the Transmit-Receive Unit sends the second message, the source IP address of second message is first message Purpose IP address or the intermediate equipment address, the purpose IP address of second message is the source IP of first message Address, the destination slogan of second message are one end slogan in preset range;It is directed to if the Transmit-Receive Unit receives The response message for being used to indicate second message error of second message, then add the source IP address of first message It is added in first IP address list.
It is described logical the apparatus may include communication interface, processor, memory and bus in another implementation Believe and is connected with each other between interface, the processor and the memory by bus;The processor is by reading the storage The logical order stored in device executes attack prevention method described in the application first aspect.
For the application when taking precautions against dos attack, intermediate equipment can the first IP address list based on record and the 2nd IP Location list distinguishes normal message and attack message.Based on this, in the first IP address list and the second IP address list not When source IP address including message to be forwarded, can not determine whether the message is attack message, then first by the source IP of the message Location is added in the second IP address list, and is the end in non-normal range by sending destination slogan to the source IP address The message of slogan judges whether source IP address is attack source, if it is not, illustrate that the message is normal message, then by the source IP Address is added in the first IP address list;If so, illustrating that the message is attack message, then the source IP address is not added to In first IP address list.In this way when receiving the message of the source IP address again, if intermediate equipment is in the first IP address The source IP address is found in list, then directly forwards the message, if the source IP address is not found in the first IP address list, but It is to find the source IP address in the second IP address list, then directly abandons the message.The above process not only can effectively be prevented Only dos attack, and intermediate equipment can also therefrom distinguish normal message and attack message.
Detailed description of the invention
Fig. 1 is method flow diagram provided by the present application;
Fig. 2 is the treatment process schematic diagram of normal message provided by the present application;
Fig. 3 is the treatment process schematic diagram of attack message provided by the present application;
Fig. 4 is apparatus function module frame chart provided by the present application;
Fig. 5 is the hardware structure diagram of Fig. 4 shown device provided by the present application.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application. It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determination ".
In this application, the defect of normal message and attack message can not be identified by compensating for existing dos attack precautionary technology, When normal message and attack message are sent to same destination simultaneously, intermediate equipment can tell normal message and attack report Text abandons attack message to normally be forwarded to normal message.
Here intermediate equipment refers to the equipment between source device and purpose equipment, such as can be network insertion and set Standby (such as hub, interchanger), internetwork device (such as router), Network Security Device (such as firewall, attack-prevention-device).
For the ability for enabling intermediate equipment have identification normal message and attack message, the application increases for intermediate equipment Following two functions:
First, it is right in message source IP (Internet Protocol, Internet protocol) address that minute book equipment detected The address of real equipment namely the source IP address of normal message are answered, the application can record this kind of by the first IP address list Source IP address.The equipment of real equipment instruction necessary being herein, may include: physical equipment and virtual unit.
Second, the source IP address of message source IP address namely normal message and attack message that minute book equipment detected, The application can record the source IP address of the message detected by the second IP address list, or can arrange in the first IP address The source IP address that normal message is recorded in table records the source IP address and unknown message of attack message in the second address list Source IP address.
As for intermediate equipment how the first IP address list based on above-mentioned record and the second IP address list differentiate it is normal Message and attack message will be illustrated below by method flow shown in FIG. 1.Referring to Fig. 1, this method be can comprise the following steps that
Step 101: receiving the first message, the purpose IP address of the first message is the IP of the server of intermediate equipment protection Location.
Here the first message can be TCP (Transmission Control Protocol, transmission control protocol) Message, UDP (User Datagram Protocol, User Datagram Protocol) message or ICMP (Internet Control Message Protocol, Internet Control Message Protocol) message etc..In practical application, UDP Flood attack is relatively common A kind of dos attack, it can use protocol stack and sends a large amount of half-connection message to server, these half-connections can consume clothes The business a large amount of resource of device.
Step 102: if including the source IP address of the first message in the first IP address list saved, sending forwarding first Message.
When intermediate equipment finds the source IP address of the first message from the first IP address list, before showing intermediate equipment It had detected the source IP address and had confirmed that the source IP address is the address of necessary being, so being directly forwarded to message.
When intermediate equipment does not find the source IP address of the first message from the first IP address list, at this time there are two types of possibility Situation, one is do not detected the source IP address before intermediate equipment (or once with detecting the source IP but testing result aging Delete), another kind had detected the source IP address and had confirmed that the source IP address does not correspond to real equipment before being intermediate equipment.Extremely Which kind of situation belonged in the first current message, then needs to determine in conjunction with the second IP address list, concrete condition is as follows:
Step 103: if in the first IP address list and the second IP address list that save not including the source of the first message The source IP address of first message is then added in the second IP address list by IP address, and sends the second message, the second message Source IP address is the purpose IP address of the first message or the address of intermediate equipment, and the purpose IP address of the second message is the first message Source IP address, the destination slogan of the second message is one end slogan in preset range.
When intermediate equipment with not finding the source IP of the first message from the first IP address list and the second IP address list When location, shows not detect before intermediate equipment the source IP address and (or once checked the source IP address but testing result aging Delete), so the source IP address of the first message is first added in the second IP address list by intermediate equipment here, next go again Detect whether the source IP address corresponds to real equipment.As to how processing the first message in this case, intermediate equipment can be with The first message is abandoned immediately, and the first message can also be transformed into the second message and be sent to the source IP address of the first message to detect Whether the source IP address corresponds to real equipment, or temporarily saves the first message, and the detection result of the second message is waited to determine again It is the first message of the first message of forwarding or discarding.
Step 104: if the response message for being used to indicate the second message error for the second message is received, by first The source IP address of message is added in the first IP address list.
In one embodiment, above-mentioned second message can be the very big message of destination slogan, for example, second The destination slogan of message can be one end slogan in 32768 to 65535 (including 32768 and 65535).If the first message Source IP address correspond to a real equipment, then when the equipment of the necessary being receive a port number be non-well-known port And the unreachable message in the port ICMP can be returned when the very big message of port numbers;If the source IP address of the first message does not correspond to one A real equipment, then the equipment of source IP address mark itself is just not present, during which not will receive naturally Between the second message for issuing of equipment, the also natural unreachable message in the port ICMP that will not respond.Based on this, if intermediate equipment receives The unreachable message in the port ICMP, then can determine the corresponding real equipment of the source IP address of the first message, and the first message is to close Method message, so the source IP address of the first message is added in the first IP address list.If intermediate equipment does not receive always The source IP address of first message then will not be added to the first IP address list always by the unreachable message in the port ICMP.
It does not include the first message as being mentioned in step 103 in the first IP address list and the second IP address list The source IP address of the first message can be added in the second IP address list in the case where source IP address, here for being added to The source IP address of the first message in second IP address list, can there is following two processing mode:
The first, if subsequent intermediate equipment receives within a preset time is used to indicate the second report for the second message The response message of literary mistake, then can delete the source IP address of the first message recorded in the second IP address list;, whereas if Intermediate equipment does not receive the response message for being used to indicate the second message error within a preset time, then with can retaining the 2nd IP The source IP address of the first message recorded in the list of location.It is final in the second IP address list only to record attack under this mode The source IP address of message is not required to the source IP address of record normal message, can so save the memory source of intermediate equipment.Certainly In order to realize that the second IP address list only records the purpose of the source IP address of attack message, intermediate equipment is true in step 103 When not including the source IP address of the first message in fixed first IP address list and the second IP address, the second message is first sent, such as Fruit receives the response message for the second message within a preset time, then the source IP address of the first message is not added to the 2nd IP In address list;If not receiving the response message for the second message within a preset time, by the source IP of the first message Location is added in the second IP address list.
Second, no matter subsequent second message error of being used to indicate whether received for the second message of intermediate equipment Response message retains the source IP address of the first message in the second IP address list.Under this mode, the second IP address list Middle preservation be normal message and attack message source IP address, be advantageous in that relative to first way, do not need to start Whether timer judgement receives the response message that the source IP address of the first message returns within a preset time, can save centre and set Standby process resource.
In addition to the situation described in the step 103, about in the first IP address list and the second IP address list whether include There is likely to be following situations for the source IP address of first message: not including the source IP of the first message in the first IP address list Location, and including the source IP address of the first message in the second IP address list;Such case shows to have detected before intermediate equipment The source IP address of first message, since the source IP address is recorded in the second IP address list but is not recorded in the first IP In address list, it may thereby determine that the source IP address of the first message does not correspond to real equipment, intermediate equipment can be direct at this time Abandon the first message.
By the above process, intermediate equipment by the way that the source IP address of normal message is added in the first IP address list, In this way when the source IP address of normal message sends message again, the source IP address can be found in the first IP address list, To directly forward the message;By the way that the source IP address of attack message to be only added in the second IP address list, in this way when attacking When hitting the source IP address of message and sending message again, intermediate equipment may only be in the second IP address list with finding the source IP Location, to directly abandon the message.The above process can not only be effectively prevented dos attack, but also intermediate equipment can also be from In distinguish normal message and attack message.
And for the efficiency for dos attack of improving the precaution and resource consumption is reduced, intermediate equipment can be for some specific IP address carries out dos attack prevention, for example intermediate equipment can be for destination address for this equipment server ip to be protected The message of location executes dos attack prevention.
Alternatively, further, intermediate equipment is confirming that the purpose IP address of received message is the clothes of this equipment protection It is engaged in after the IP address of device, can further judge the destination address received in the preset time before receiving the first message Whether the quantity for the message (including normal message and attack message) of the IP address of the server to be protected is more than setting Threshold value, if so, dos attack prevention is just executed, specifically, intermediate equipment can receive the first report in satisfaction in step 102 The destination address received in preset time before text is that the quantity of the message of the purpose IP address of the first message is more than setting When including this condition of the source IP address of the first message in threshold value and the first IP list saved, the first message of forwarding is sent;Together Reason, in step 103, intermediate equipment can be the meeting the destination address that receive in the preset time before receiving the first message The quantity of the message of the purpose IP address of one message is more than the threshold value of setting and the first IP address list and the second IP address list In when not including this condition of the source IP address of the first message, the source IP address of the first message is added to the second IP address column In table and send the second message;Similarly, in step 104, intermediate equipment can meet receive the first message before it is default when The quantity of the message of purpose IP address of the interior destination address received for the first message is more than the threshold value and the first IP set Do not include the source IP address of the first message in the list of location, and in the second IP address list including the first message source IP address this When condition, the first message is abandoned.
Correspondingly, if the purpose IP address that receives in the preset time before receiving the first message of intermediate equipment is the The quantity of the message of the purpose IP address of one message is lower than the threshold value of setting, then intermediate equipment can directly transmit the first report of forwarding Text.
It can also be to the first IP address for the timeliness for being further ensured that dos attack testing result as one embodiment List and the second IP address list carry out aging.Can be there are many aging means, such as can artificially be arranged for the first IP address The source IP address configuration ageing time recorded in table and the second IP address list;In another example can in the first IP address list and Increase a static fields in second IP address list, receives what each source IP address in list was sent in each period for counting The number of message, if the corresponding statistics number of some source IP address is 0 in some period, by the source IP address from the first IP It is deleted in address list and the second IP address list, if not being 0, continues to retain the source IP address simultaneously by the source IP address Corresponding statistics number is reset.
There can be following two organizational form as the first IP address list and the second IP address list:
In a kind of mode, intermediate equipment can safeguard one for the IP address of the server of each equipment protection respectively Open the first IP address list and second IP address list.Under this mode, intermediate equipment can determine some server When IP address meets dos attack testing conditions, just with opening the first IP address list and the 2nd IP for this address creation one Location list, and, when the IP address for determining some server no longer meets dos attack testing conditions, just delete and this ground Associated first IP address list in location and the second IP address list.Correspondingly, in step 102 to step 104, intermediate equipment can be with With associated first IP address list of the purpose IP address of the first message and the second IP address list, the first message is searched Source IP address.
In a further mode of operation, intermediate equipment can also be for the IP address unification of all equipment servers to be protected Safeguard first IP address list and second IP address list.Under this mode, during this two tables can remain stored in Between in equipment (or third party device);It is intermediate when the IP address for determining some server no longer meets dos attack testing conditions Equipment can empty the content of this two tables.Correspondingly, in step 102 to step 104, intermediate equipment can saved uniquely In first IP address list and the second IP address list, the source IP address of the first message is searched.
By process shown in FIG. 1, normal message and attack message can be distinguished and be handled respectively.In order to more It is clear, separately below by the treatment process example of the treatment process example of normal message and attack message, to describe the application Technical solution.
Fig. 2 show a kind for the treatment of process for normal message, and wherein client is the requesting party of a necessary being, The dos attack prevention for server-side address is had been turned in intermediate equipment, the specific steps are as follows:
1) intermediate equipment receives the message that client is sent to server-side;
2) intermediate equipment check the first IP address list in whether include client address, inspection result be do not include;
3) intermediate equipment check the second IP address list in whether include client address, inspection result be do not include;
4) address of client is added in the second IP address list by intermediate equipment;
5) intermediate equipment sends detection messages to client, the destination slogans of detection messages between 32768 and 65535 it Between;
6) client returns to the unreachable message in the port ICMP to intermediate equipment;
7) address of client is added in the first IP address list by intermediate equipment;
8) intermediate equipment is received again by the message that client is sent to the server-side;
9) intermediate equipment check the first IP address list in whether include client address, inspection result is to include;
10) intermediate equipment forwards the packet to server-side.
Fig. 3 show a kind for the treatment of process for attack message, and wherein client is the ground being not present in a network Location has been turned on the dos attack prevention for server-side address in intermediate equipment, the specific steps are as follows:
1) intermediate equipment receives the message that client is sent to server-side;
2) intermediate equipment check the first IP address list in whether include the client address, inspection result be do not wrap It includes;
3) intermediate equipment check the second IP address list in whether include client address, inspection result be do not include;
4) address of client is added in the second IP address list by intermediate equipment;
5) intermediate equipment sends detection messages to client, the destination slogans of detection messages between 32768 and 65535 it Between;
It because of client and is not present, so it will not return to the unreachable message in the port ICMP, intermediate equipment will not will be objective The address at family end is added in the first IP address list.
6) intermediate equipment is received again by the message that client is sent to the server-side;
7) intermediate equipment check the first IP address list in whether include client address, inspection result be do not include;
8) intermediate equipment check the second IP address list in whether include client address, inspection result is to include;
9) intermediate equipment abandons the message.
In conclusion the application is when taking precautions against dos attack, intermediate equipment is based on the first IP address list of record and second IP address list can not only be effectively prevented dos attack, but also can therefrom distinguish normal message and attack message.
Method provided by the present application is described above.Device provided by the present application is described below.
It referring to fig. 4, is a kind of attack-defending device provided by the present application, described device is applied to intermediate equipment, the dress Set may include Transmit-Receive Unit 401 and attack-defending unit 402, in which:
Transmit-Receive Unit 401, for receiving the first message, the purpose IP address of first message is intermediate equipment guarantor The IP address of the server of shield.
Attack-defending unit 402, if for the source IP including first message in the first IP address list of preservation Location then indicates that the Transmit-Receive Unit 401 is sent and forwards first message;If the first IP address list and the 2nd IP that save Do not include the source IP address of first message in the list of location, then the source IP address of first message is added to described In two IP address lists, and indicate that the Transmit-Receive Unit 401 sends the second message, the source IP address of second message is described The address of the purpose IP address of first message or the intermediate equipment, the purpose IP address of second message are first report The source IP address of text, the destination slogan of second message are one end slogan in preset range;If the Transmit-Receive Unit 401 The response message for being used to indicate second message error for second message is received, then by first message Source IP address is added in first IP address list.
In a kind of wherein embodiment, the attack-defending unit 402, if can be also used for the first IP address column Do not include the source IP address of first message in table, and includes the source IP of first message in second IP address list Address then abandons first message.
In a kind of wherein embodiment, the destination slogan of second message is specially one in 32768 to 65535 Port numbers;The response message is the unreachable message in the port ICMP.
In a kind of wherein embodiment, the attack-defending unit 402 exists if being specifically used for the Transmit-Receive Unit 401 The purpose IP address received in preset time before receiving first message is the server of intermediate equipment protection The quantity of message of IP address be more than in the threshold value of setting and the first IP address list for saving include first message Source IP address then indicates that the Transmit-Receive Unit 401 is sent and forwards first message;If the Transmit-Receive Unit 401 is receiving The IP for the server that the purpose IP address received in preset time before first message is protected for the intermediate equipment The quantity of the message of location be more than setting threshold value and save the first IP address list and the second IP address list in do not include The source IP address of first message is then added in second IP address list by the source IP address of first message, And indicate that the Transmit-Receive Unit 401 sends the second message;If the Transmit-Receive Unit 401 is before receiving first message The purpose IP address received in preset time is that the quantity of the message of the IP address of the server of intermediate equipment protection is more than It does not include the source IP address of first message in the threshold value of setting and first IP address list, and second IP address Include the source IP address of first message in list, then abandons first message.
In a kind of wherein embodiment, the attack-defending unit 402, if be also used to receive first message it The purpose IP address received in preceding preset time is the quantity of the message of the IP address of the server of intermediate equipment protection Lower than the threshold value of setting, then indicates that the Transmit-Receive Unit 401 is sent and forward a message.
It should be noted that being schematical, only a kind of logic function to the division of unit in the embodiment of the present invention It divides, there may be another division manner in actual implementation.Each functional unit in embodiments herein can integrate In one processing unit, it is also possible to each unit and physically exists alone, one can also be integrated in two or more units In a unit.Above-mentioned integrated unit both can take the form of hardware realization, can also be in the form of software functional units It realizes.
So far, the functional module description of Fig. 4 shown device is completed.
Accordingly, the application also provides a kind of hardware structure diagram of intermediate equipment, which includes: communication interface 501, processor 502, memory 503 and bus 504;Wherein, communication interface 501, processor 502, memory 503 pass through bus 504 complete mutual communication.
Wherein, communication interface 501, for sending and receiving message.Processor 502 can be a CPU, memory 503 It can be nonvolatile memory, and be stored with attack-defending logical order in memory 503, processor 502 can execute The attack-defending logical order stored in memory 503, to realize method shown in above-mentioned Fig. 1.
So far, the hardware configuration description of intermediate equipment shown in Fig. 5 is completed.
The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.

Claims (10)

1. a kind of attack prevention method, which is characterized in that the method is applied to intermediate equipment, which comprises
The first message is received, the purpose IP address of first message is the IP address of the server of intermediate equipment protection;
If in the first IP address list saved including the source IP address of first message, forwarding first report is sent Text;
If in the first IP address list and the second IP address list that save not including the source IP address of first message, The source IP address of first message is added in second IP address list, and sends the second message, second report The source IP address of text is the purpose IP address of first message or the address of the intermediate equipment, the purpose of second message IP address is the source IP address of first message, and the destination slogan of second message is the Single port in preset range Number;
If the response message for being used to indicate second message error for second message is received, by described first The source IP address of message is added in first IP address list.
2. the method as described in claim 1, which is characterized in that the method also includes:
If not including the source IP address of first message in first IP address list, and in second IP address list Source IP address including first message then abandons first message.
3. the method as described in claim 1, which is characterized in that the destination slogan of second message be specially 32768 to One end slogan in 65535;The response message is the unreachable message in the port ICMP.
4. method according to claim 2, which is characterized in that if in the first IP address list saved including first report The source IP address of text then sends forwarding first message:
If the purpose IP address received in the preset time before receiving first message is intermediate equipment protection The quantity of the message of the IP address of server is more than in the first IP address list of the threshold value of setting and preservation including described first The source IP address of message then sends forwarding first message;
If in the first IP address list and the second IP address list that save not including the source IP address of first message, The source IP address of first message is added in second IP address list, and sends the second message:
If the purpose IP address received in the preset time before receiving first message is intermediate equipment protection The quantity of the message of the IP address of server is more than the threshold value of setting and the first IP address list saved and the second IP address column Do not include the source IP address of first message in table, then the source IP address of first message is added to the 2nd IP In address list, and send the second message;
If not including the source IP address of first message in first IP address list, and in second IP address list Source IP address including first message then abandons first message:
If the purpose IP address received in the preset time before receiving first message is intermediate equipment protection It does not include described first that the quantity of the message of the IP address of server, which is more than in the threshold value of setting and first IP address list, The source IP address of message, and include the source IP address of first message in second IP address list, then abandon described the One message.
5. method as claimed in claim 4, which is characterized in that the method also includes:
If the purpose IP address received in the preset time before receiving first message is intermediate equipment protection The quantity of the message of the IP address of server then forwards first message lower than the threshold value of setting.
6. a kind of attack-defending device, which is characterized in that described device is applied to intermediate equipment, and described device includes:
Transmit-Receive Unit, for receiving the first message, the purpose IP address of first message is the clothes of intermediate equipment protection The IP address of business device;
Attack-defending unit, if referring to for the source IP address including first message in the first IP address list of preservation Show that the Transmit-Receive Unit is sent and forwards first message;If in the first IP address list and the second IP address list that save Do not include the source IP address of first message, then the source IP address of first message is added to second IP address and arranged In table, and indicate that the Transmit-Receive Unit sends the second message, the source IP address of second message is the mesh of first message IP address or the intermediate equipment address, the purpose IP address of second message is the source IP of first message Location, the destination slogan of second message are one end slogan in preset range;If the Transmit-Receive Unit is received for institute The response message for being used to indicate second message error of the second message is stated, then is added the source IP address of first message Into first IP address list.
7. device as claimed in claim 6, which is characterized in that
The attack-defending unit, if be also used in first IP address list do not include first message source IP Location, and first message is then abandoned including the source IP address of first message in second IP address list.
8. device as claimed in claim 6, which is characterized in that the destination slogan of second message be specially 32768 to One end slogan in 65535;The response message is the unreachable message in the port ICMP.
9. device as claimed in claim 7, which is characterized in that
The attack-defending unit, if the preset time specifically for the Transmit-Receive Unit before receiving first message The purpose IP address inside received is that the quantity of the message of the IP address of the server of intermediate equipment protection is more than the threshold of setting Include the source IP address of first message in value and the first IP address list saved, then indicates that the Transmit-Receive Unit is sent and turn Send out the first message described;If the destination IP that the Transmit-Receive Unit receives in the preset time before receiving first message Address is that the quantity of the message of the IP address of the server of intermediate equipment protection is more than the first of the threshold value set and preservation It does not include the source IP address of first message in IP address list and the second IP address list, then by first message Source IP address is added in second IP address list, and indicates that the Transmit-Receive Unit sends the second message;If the transmitting-receiving The purpose IP address that unit receives in the preset time before receiving first message is intermediate equipment protection It does not include described first that the quantity of the message of the IP address of server, which is more than in the threshold value of setting and first IP address list, The source IP address of message, and include the source IP address of first message in second IP address list, then abandon described the One message.
10. device as claimed in claim 6, which is characterized in that
The attack-defending unit, if the destination IP received in preset time before being also used to receive first message Location is the quantity of the message of the IP address of the server of intermediate equipment protection lower than the threshold value of setting, then forwards described first Message.
CN201711122077.6A 2017-11-14 2017-11-14 A kind of attack prevention method and device Pending CN108989275A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201711122077.6A CN108989275A (en) 2017-11-14 2017-11-14 A kind of attack prevention method and device
PCT/CN2018/115132 WO2019096104A1 (en) 2017-11-14 2018-11-13 Attack prevention

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711122077.6A CN108989275A (en) 2017-11-14 2017-11-14 A kind of attack prevention method and device

Publications (1)

Publication Number Publication Date
CN108989275A true CN108989275A (en) 2018-12-11

Family

ID=64542228

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711122077.6A Pending CN108989275A (en) 2017-11-14 2017-11-14 A kind of attack prevention method and device

Country Status (2)

Country Link
CN (1) CN108989275A (en)
WO (1) WO2019096104A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111385248A (en) * 2018-12-28 2020-07-07 华为技术有限公司 Attack defense method and attack defense device
CN112953895A (en) * 2021-01-26 2021-06-11 深信服科技股份有限公司 Attack behavior detection method, device, equipment and readable storage medium
CN113810398A (en) * 2021-09-09 2021-12-17 新华三信息安全技术有限公司 Attack protection method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050111367A1 (en) * 2003-11-26 2005-05-26 Hung-Hsiang Jonathan Chao Distributed architecture for statistical overload control against distributed denial of service attacks
CN1954545A (en) * 2003-03-03 2007-04-25 思科技术公司 Using TCP to authenticate IP source addresses
CN102231748A (en) * 2011-08-02 2011-11-02 杭州迪普科技有限公司 Method and device for verifying client
CN102291441A (en) * 2011-08-02 2011-12-21 杭州迪普科技有限公司 Method and security agent device for protecting against attack of synchronize (SYN) Flood
CN105991632A (en) * 2015-04-20 2016-10-05 杭州迪普科技有限公司 Network security protection method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9473529B2 (en) * 2006-11-08 2016-10-18 Verizon Patent And Licensing Inc. Prevention of denial of service (DoS) attacks on session initiation protocol (SIP)-based systems using method vulnerability filtering
CN101741855B (en) * 2009-12-16 2012-11-28 中兴通讯股份有限公司 Maintenance method of address resolution protocol cache list and network equipment
CN105430011B (en) * 2015-12-25 2019-02-26 杭州朗和科技有限公司 A kind of method and apparatus detecting distributed denial of service attack

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1954545A (en) * 2003-03-03 2007-04-25 思科技术公司 Using TCP to authenticate IP source addresses
US20050111367A1 (en) * 2003-11-26 2005-05-26 Hung-Hsiang Jonathan Chao Distributed architecture for statistical overload control against distributed denial of service attacks
CN102231748A (en) * 2011-08-02 2011-11-02 杭州迪普科技有限公司 Method and device for verifying client
CN102291441A (en) * 2011-08-02 2011-12-21 杭州迪普科技有限公司 Method and security agent device for protecting against attack of synchronize (SYN) Flood
CN105991632A (en) * 2015-04-20 2016-10-05 杭州迪普科技有限公司 Network security protection method and device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111385248A (en) * 2018-12-28 2020-07-07 华为技术有限公司 Attack defense method and attack defense device
CN111385248B (en) * 2018-12-28 2021-07-09 华为技术有限公司 Attack defense method and attack defense device
CN112953895A (en) * 2021-01-26 2021-06-11 深信服科技股份有限公司 Attack behavior detection method, device, equipment and readable storage medium
CN113810398A (en) * 2021-09-09 2021-12-17 新华三信息安全技术有限公司 Attack protection method, device, equipment and storage medium
CN113810398B (en) * 2021-09-09 2023-09-26 新华三信息安全技术有限公司 Attack protection method, device, equipment and storage medium

Also Published As

Publication number Publication date
WO2019096104A1 (en) 2019-05-23

Similar Documents

Publication Publication Date Title
WO2021008028A1 (en) Network attack source tracing and protection method, electronic device and computer storage medium
US7552478B2 (en) Network unauthorized access preventing system and network unauthorized access preventing apparatus
US9954873B2 (en) Mobile device-based intrusion prevention system
US10587647B1 (en) Technique for malware detection capability comparison of network security devices
US8122494B2 (en) Apparatus and method of securing network
US8677473B2 (en) Network intrusion protection
JP4545647B2 (en) Attack detection / protection system
US7832009B2 (en) Techniques for preventing attacks on computer systems and networks
KR101010465B1 (en) Network security elements using endpoint resources
AU2004289001B2 (en) Method and system for addressing intrusion attacks on a computer system
US10135785B2 (en) Network security system to intercept inline domain name system requests
CN103609089B (en) A kind of preventing is attached to the method and device of Denial of Service attack on the main frame of subnet
JP4768020B2 (en) Method of defending against DoS attack by target victim self-identification and control in IP network
CN102137111A (en) Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server
CN104468554A (en) Attack detection method and device based on IP and HOST
KR20080028381A (en) Method for defending against denial of service attacks in ip networks by target victim self-identification and control
CN108989275A (en) A kind of attack prevention method and device
US20040022253A1 (en) Method and apparatus for inter-layer binding inspection
JP4602158B2 (en) Server equipment protection system
CN110213204A (en) Attack guarding method and device, equipment and readable storage medium storing program for executing
CN107454065A (en) A kind of means of defence and device of UDP Flood attacks
CN105939321A (en) DNS (Domain Name System) attack detection method and device
CN107948195A (en) A kind of method and device of protection Modbus attacks
CN112738110A (en) Bypass blocking method and device, electronic equipment and storage medium
CN105959248B (en) The method and device of message access control

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181211

RJ01 Rejection of invention patent application after publication