CN109327426A - A kind of firewall attack defense method - Google Patents

A kind of firewall attack defense method Download PDF

Info

Publication number
CN109327426A
CN109327426A CN201810024379.8A CN201810024379A CN109327426A CN 109327426 A CN109327426 A CN 109327426A CN 201810024379 A CN201810024379 A CN 201810024379A CN 109327426 A CN109327426 A CN 109327426A
Authority
CN
China
Prior art keywords
attack
configuration
message
tcp
firewall
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810024379.8A
Other languages
Chinese (zh)
Inventor
白令海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201810024379.8A priority Critical patent/CN109327426A/en
Publication of CN109327426A publication Critical patent/CN109327426A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services

Abstract

The present invention provides a kind of firewall attack defense method, its by by an attack-defending module application in the firewall for having had the functions such as the configuration management based on safety zone, message management and session management, realize network attack detection function, it is accurate to detect single packet attack, scanning attack and extensive aggression.Single packet attack specifically includes: the unreachable attack of ICMP redirection attack, ICMP, the attack of IP source routing option, the attack of route record option, Land attack, smurf attack, Fraggle attack, WinNuke attack.Scanning attack specifically includes: address scan attack, Port Scan Attacks.Extensive aggression includes: TCP SYN Flood attack, ICMP Flood attack, UDP Flood attack.After detecting network attack, corresponding precautionary measures, such as dropping packets, addition blacklist, outputting alarm log etc. are taken according to configuration.It realizes the Safe Reset technology under TCP agent joint-action mechanism, effectively defends TCP SYN Flood attack.

Description

A kind of firewall attack defense method
Technical field
The invention belongs to network safety fileds, and in particular to a kind of firewall attack defense method.
Background technique
Network attack refers to using loophole existing for network and safety defect in the hardware, software and its system of network system The attack that data carry out.With the extensive use of computer network, cyber-attack techniques are also evolving.The side of network attack Formula and method have developed to the attack method of the exquisiteness of today, synthesis from coarse, the single attack method of early stage.Currently, The upper common network attack of Internet is divided into following three classes: single packet attack, scanning attack and extensive aggression:
(1) single packet attack
Single packet attack is also known as abnormal packet attack.Attacker sends (such as fragment overlapping of defective IP message to target machine IP message, the TCP message with illegal flag position etc.), since target machine can not correctly handle this IP like message, Therefore lead to system crash.Another way is that attacker occupies network bandwidth, lead by sending a large amount of useless messages, malice Cause network congestion.
(2) scanning attack attacker carries out host address to network with scanning tools or port is scanned, and passes through standard The position for determining position potential target detects the network topology structure of goal systems and the service type of enabling, and utilizes and collected Information implement further attack.
(3) extensive aggression
Extensive aggression is a kind of mode of DoS attack, including TCP SYN Flood attack and UDP Flood attack etc.. Attacker sends a large amount of spurious requests to goal systems in a short time, causes goal systems to be too tired to deal with garbage, greatly Amount consumption keystone resources, can not provide normal service for legitimate user, that is, refusal service occurs.
In various network attacks, DoS attack becomes one of the most common type attack since its implementation is simple, destructive power is strong Method.Data show that the DoS attack more than 90% is the loophole realization using TCP agreement, and TCP SYN Flood Attack is using most common attack means.The system of upper any network service of the offer based on TCP of Internet, such as Web server, FTP server and mail server are all easy to be attacked by TCP SYN Flood.Therefore, for SYN The good prevention ability of Flood attack occupies very important effect in the allomeric function of firewall attack-defending.
Important means of the firewall as protection network security, should be able to effectively take precautions against various network attacks.In recent years, big rule The emergence of mould attack, to firewall, more stringent requirements are proposed.With the extensive use and networking of firewall The variation of environment, the tactful configuration mode of firewall also towards be easier to use, more efficient trend development.
Traditional firewall is based on Intranet/outer net mode, and firewall is between internal network and external network, as long as root The configuration of security strategy is carried out according to the incoming interface and outgoing interface of network message.But with the continuous development of firewall, there is base In the firewall deployment scheme of region division, i.e. Intranet/outer net/demilitarized zone DMZ() mode.Wherein, DMZ is a difference In Intranet or the ad hoc network region of outer net, some public servicers without confidential information are usually placed in DMZ, such as Web, Mail, FTP server etc..In this way, the service in the accessible DMZ of visitor from outer net, but be not readily accessible to The Company Confidential being stored in Intranet or personal information etc. will not be in Intranets even if server is destroyed in DMZ Confidential information impact.In such a mode, firewall is in trizonal center, is connected them with triangular pattern Get up.
In this network environment based on region division, traditional tactful configuration mode based on interface needs to be each A interface configures security strategy, and the maintenance workload of security strategy is multiplied, to also increase because configuration introduces safety The probability of risk.Therefore, the concept of safety zone is introduced in Modern Firewall.(Security Zone) refers to for safety zone The networked asset of same group of security attribute and the logic groups (sometimes and physical packets) of resource are shared, is that firewall implements plan Omit the core element with configuration management.It introduces after the concept of safety zone, safety officer is by the identical interface of demand for security Or the address IP is classified, and different safety zones is divided into, corresponding in real network structure Intranet, outer net and The network areas such as DMZ.By the division of safety zone, the configuration of firewall can more flexiblely compared with network structure It combines, the multi-zone supervision of implementation strategy, improves the convenience and safety of firewall policy configuration.
Many firewalls all provide three independent safety zones now: accredited safety zone (Trust), untrusted peace Region-wide (Uuntrust) and Demilitarized Zone (DMZ).In addition to this it is possible to which addition is more safe according to actual needs Region the various functions of firewall are realized by the configuration strategy on safety zone.
Although existing firewall has the functions such as configuration management, message management and session management based on safety zone, It is to lack the comprehensive preventing function for being able to detect a plurality of types of attacks and taking attack the reasonable precautionary measures, it is difficult to Using the various common network attacks of effective attack-defending technology Initiative Defense, network not can guarantee by more and more frequently Attack in the case where can operate normally.Still lack the general safety solution of firewall in the prior art.
Summary of the invention
In view of the foregoing defects the prior art has, the present invention provides a kind of firewall attack defense method, realizes network attack Detection, it is accurate to detect single packet attack, scanning attack and extensive aggression;After detecting network attack, taken accordingly according to configuration The precautionary measures.
For achieving the above object the technical solution adopted by the present invention is that:
A kind of firewall attack defense method by the method for configuration attack-defending strategy, the detection of single packet attack and prevention method, is swept Scanning attack detection is formed with prevention method, the detection of SYN flood attack with prevention method with prevention method, extensive aggression detection;
Configure attack-defending strategy method the following steps are included:
Receive configuration message;
Configuration parameter is parsed and extracted to configuration message, while validity checking is carried out to configuration parameter;
Miscue information is shown for illegal configuration, for legal configuration, the strategy application newly configured is made to come into force;
The detection of single packet attack with prevention method the following steps are included:
Receive message;
Message field (MFLD) is checked according to the strategy of current-configuration, judges the legitimacy of message;
It is to abandon or let pass according to the tactful returned packet processing result of current-configuration after detecting attack;
Outputting alarm log;
Scanning attack detection with prevention method the following steps are included:
Receive message;
The newly-built connection speed for inquiring source IP address judges whether to be more than threshold value;
It is to abandon or let pass according to the tactful returned packet processing result of current-configuration after detecting attack;
The address attacker IP is piped off;
Outputting alarm log;
Extensive aggression detection with prevention the following steps are included:
Receive message;
The newly-built connection speed for inquiring purpose IP address judges whether to be more than threshold value;
It is to abandon or let pass according to the tactful returned packet processing result of current-configuration after detecting attack;
Interface outputting alarm log;
SYN flood attack detection with prevention method the following steps are included:
Receive TCP SYN message;
The half-open connection number and newly-built connection speed for inquiring purpose IP address are detected as SYN flood if being more than threshold value and attack It hits;
After detecting attack, if enabling TCP agency, destination IP is added to protected IP address list, it is no It is then to abandon or let pass according to the tactful returned packet processing result of current-configuration;
Outputting alarm log.
With prevention method, purpose IP address is added to protected IP address list for the SYN flood attack detection Afterwards, implement to protect using Safe Reset technology, intercept attack flow while not influencing normal discharge, realize SYN flood Water attack-defending.
By the way that an attack-defending module application is realized attack-defending strategy configuration processing and various networks in firewall The detection of attack simultaneously takes corresponding attack-defending measure by the functional module interface of calling firewall, and the firewall has Safety zone management, configuration management, message management, blacklist management, tactical management, log management and conversation management functional mould Block, the attack-defending module include configuration processing submodule, attack detecting submodule and TCP agent sub-module.
The significant beneficial effect that the present invention obtains is:
The present invention is able to detect a plurality of types of attacks and takes the reasonable precautionary measures to attack;
Gear is acted on behalf of by using improved Safe Reset technology, and in conjunction with the TCP based on Traffic anomaly detection System more efficiently and steadily realizes SYN Flood attack-defending.
Detailed description of the invention
Fig. 1 is attack-defending module and external module relational graph;
Fig. 2 is configuration strategy process flow diagram;
Fig. 3 is single packet attack detection and prevention process flow diagram;
Fig. 4 is scanning attack detection and prevention process flow diagram;
Fig. 5 is extensive aggression detection and prevention process flow diagram;
Fig. 6 is TCP SYN Flood Attack Theory figure;
Fig. 7 is that TCP acts on behalf of joint-action mechanism process flow diagram.
Specific embodiment
The present invention is further described in detail below with reference to the accompanying drawings and embodiments.It should be appreciated that described herein Specific embodiment is only used to explain the present invention, is not intended to limit the present invention.
The present invention provides a kind of firewall defence method, by by an attack-defending module application in had based on peace The firewall of the functions such as region-wide configuration management, message management and session management is realized, can be realized network attack detection, essence Really detect single packet attack, scanning attack and extensive aggression.Single packet attack specifically includes: ICMP redirection attack, ICMP can not It is attacked up to attack, the attack of IP source routing option, the attack of route record option, Land attack, Smurf attack, Fraggle It hits, WinNuke attack.Scanning attack specifically includes: address scan attack, Port Scan Attacks.Extensive aggression includes: TCP SYN Flood attack, ICMP Flood attack, UDP Flood attack.After detecting network attack, phase is taken according to configuration The precautionary measures answered, such as dropping packets, addition blacklist, outputting alarm log etc..Realize that TCP is acted on behalf of under joint-action mechanism Safe Reset technology, effectively defend TCP SYN Flood attack.
The present invention is based on the attack-defending module of the firewall of safety zone (abbreviation attack-defending module) realizations, are integrated in Firewall mainly realizes attack-defending strategy configuration processing and the detection of various network attacks and by calling external module (functional module of firewall) interface takes corresponding attack-defending measure.The firewall has had safety zone management, has matched Set the functions such as management, message management, blacklist management, tactical management, log management and session management.Attack-defending module and outer Connection, the communication of portion's module interface use conventional manner, repeat no more.Entire attack-defending module includes configuration processing Module, attack detecting submodule and TCP agent sub-module.Wherein, since TCP SYN Flood attack-defending is needed to adopt Realize that principle is more complicated, so TCP agent functionality is divided with the TCP agent way of Safe Reset technology For individual submodule.After attack detecting submodule detects TCP SYN Flood attack, TCP agent sub-module is notified Enable TCP agent functionality, defence TCP SYN Flood attack.
Between configuration processing submodule, attack detecting submodule and TCP agent sub-module, and entire attack-defending mould Relationship between block and external module is as shown in Figure 1:
The data flow of each intermodule is as follows:
D1: configuration message.When administrator configures attack-defending strategy by user interface, configuration is disappeared by configuration management module Breath passes to attack-defending module, and attack-defending module is according to configuration to subsequent application of electronic report strategy.
D2: configure processing returns to data.Attack-defending module returns to the configuration processing result of configuration management module.
D3: safety zone information.Attack-defending module needs to specify from the acquisition of safety zone module in output journal The relevant information of safety zone.
D4: original attack-defending policy information.Attack-defending module is needed when checking message from tactical management mould Block obtains the attack-defending policy information on the affiliated safety zone of message.
D5: the attack-defending policy information of update.When administrator configures attack-defending strategy by user interface, by attacking It hits prevention module and new policy information is passed into policy management module, policy management module is responsible for updating policy information.
D6: session information.Detection for scanning attack and extensive aggression, attack-defending module are needed from session management mould Block inquires session information, obtains the half-open connection number and newly-built connection speed that the address IP is specified on network.
D7: the session status of update.After attack-defending module detects attack, the corresponding precautionary measures are taken, are needed sometimes Update session status.
D8: received message data.Attack-defending module carries out validity checking to the received message of firewall.
D9: the message data of forwarding.By the message of attack-defending module check, certain fields therein may need to repair Change, the message of clearance is continued directly to forward.
D10: the entry information to pipe off.It, can be by the address IP of attacker for the scanning attack detected It pipes off, at the appointed time all messages of the inner shield from the host.
D11: the log information of output.When detecting attack, by current time, attack type, source host and destination host Information etc. is output in log.
D12: configuration parameter.The configuration message that configuration management submodule is transmitted by parsing exterior arrangement management module, if Configuration parameter is set, attack detecting submodule is passed to, makes it using corresponding function.
D13: shielded host information.After attack detecting submodule detects TCP SYN Flood attack, enable TCP acts on behalf of joint-action mechanism, target of attack host is included in protected host, TCP proxy module utilizes Safe Reset skill Art is protected host implementation defence.
The main process flow of attack-defending is as follows:
(1) process flow of attack-defending strategy is configured
Administrator can configure firewall attack-defending strategy by order line and Web page two ways.Attack-defending mould The configurable policy content of block includes: the single packet attack of creation, deletion and modification, scanning attack and extensive aggression Precaution Tactics.It attacks The attribute setting for hitting Precaution Tactics includes the enabled and dependent thresholds of the safety zone of application strategy, various specific attack detectings Setting, and detect the precautionary measures etc. that need to take after attack.Wherein, the precautionary measures include outputting alarm log, lose It abandons attack message and attack IP pipes off.In addition to this, TCP SYN Flood is attacked, can also be set Enabling TCP agent functionality is set to be taken precautions against.
The processing for configuring attack-defending strategy is mainly completed by configuration processing submodule, and process flow is as shown in Figure 2. After configuration processing submodule receives the configuration message of exterior arrangement management module transmitting, it is parsed and extracts configuration ginseng Number, while validity checking is carried out to configuration parameter, miscue information is shown for illegal configuration, legal is matched It sets, first in control plane more new strategy, configuration is correspondingly then handed down to attack detecting submodule, makes the plan newly configured Slightly application comes into force.
(2) process flow of single packet attack detection and prevention
If administrator is configured with single packet attack Precaution Tactics on some safety zone, attack detecting submodule will be received The message in the safety zone direction Shang Ru, and message is checked according to the strategy of current-configuration.Administrator can configure different types of The detection enabled state of single packet attack can selectively take precautions against various single packet attacks.If it find that message has Attack signature then takes the precautionary measures.If administrator is configured in strategy detects attack packet loss, attack report is abandoned Text, attack message of otherwise letting pass.If not detecting any attack signature, then it is assumed that be normal message, directly let pass simultaneously Continue to forward.As long as detecting attack, no matter attack message is dropped or is cleared, will outputting alarm log, prompt inspection The filter action etc. that the relevant information and firewall of the attack type, attack message that measure are taken.
The process flow of single packet attack detection and prevention is as shown in Figure 3.Attack detecting submodule receives external message After the message in the safety zone direction Shang Ru of management module transmitting, message field (MFLD) is checked according to the strategy of current-configuration, judges to report The legitimacy of text.After detecting attack, it is to abandon or let pass according to the tactful returned packet processing result of current-configuration, finally leads to The interface outputting alarm log that the log management module crossed outside calling provides.
(3) process flow of scanning attack detection and prevention
If administrator is configured with scanning attack Precaution Tactics on some safety zone, attack detecting submodule will be received The message in the safety zone direction Shang Ru, and source IP address is parsed from message, inquire the newly-built connection of source IP address Rate, the newly-built connection speed threshold value that administrator if more than configures in strategy, then it is assumed that this message is scanning attack report Text.For scanning attack, firewall can force to abandon attack message, and whether administrator cannot be to abandoning attack message and match It sets.In addition, if strategy configuration pipes off the attack address IP, then the source IP address of attack message is included in black name It is single.Within a certain period of time, the message that source IP address is put on the blacklist will be all simply discarded.If message source IP The newly-built connection speed of location is not above the threshold value of strategy configuration, then it is assumed that is normal message, directly lets pass and continue to forward. As long as finally, detect scanning attack, will outputting alarm log, prompt the attack type detected, the correlation of attack message The filter action etc. that information and firewall are taken.
Scanning attack detection and the process flow of prevention are as shown in Figure 4.Attack detecting submodule receives external message After the message in the safety zone direction Shang Ru of management module transmitting, pass through the interface of the session management module offer outside calling The newly-built connection speed for inquiring source IP address judges whether to be more than threshold value.After detecting attack, according to the plan of current-configuration Slightly returned packet processing result is to abandon or let pass, and will be attacked by the interface that the blacklist management module outside calling provides The address the person of hitting IP pipes off, the interface outputting alarm log provided finally by the log management module outside calling.
(4) process flow of extensive aggression detection and prevention
If administrator is configured with extensive aggression Precaution Tactics on some safety zone, attack detecting submodule will be received To the message in the safety zone direction Shang Chu, and purpose IP address is parsed from message, then judge type of message, if For non-TCP SYN message, then the newly-built connection speed of purpose IP address is inquired, if rate is more than that administrator sets in strategy Fixed threshold value, then it is assumed that be extensive aggression, and attack message is executed according to strategy configuration and abandons or lets pass.For being determined as Normal message then directly lets pass and continues to forward.As long as detecting extensive aggression, will outputting alarm log, prompt detection The filter action etc. that the relevant information and firewall of the attack type, attack message that arrive are taken.
Extensive aggression detection and the process flow of prevention are as shown in Figure 5.Attack detecting submodule receives external message After the message in the safety zone direction Shang Chu of management module transmitting, looked by the interface that the session management module outside calling provides The newly-built connection speed for asking purpose IP address judges whether to be more than threshold value.After detecting attack, according to the strategy of current-configuration Returned packet processing result is to abandon or let pass, the interface outputting alarm provided finally by the log management module outside calling Log.
(5) TCP SYN Flood(is also referred to as SYN flood attack) attack detecting and prevention process flow
In extensive aggression, TCP SYN Flood attack is most difficult to handle, and detects to it and acts on behalf of gear using TCP with prevention System and Safe Reset technology.
TCP SYN Flood attack is a kind of most common DDoS attack pattern, it was established using TCP connection The defects of journey, by sending the TCP connection request largely forged, so that by attacker's resource exhaustion, to can not handle Normal clients request.It, which is attacked, realizes simply, but is difficult to detect.This is because attack traffic and normal discharge are mutually to mix , it is difficult to correct to distinguish, the feature that attack traffic is not fixed can not be identified by feature database mode.Usually TCP is connected The process for connecing foundation is known as " TCP three-way handshake ", and specific steps can compactly be summarized are as follows: (1) objective user orientation server is sent SYN message;(2) server returns to SYN ACK message to client;(3) client returns to ACK message to server again.
In TCP connection establishment process, client and server are respectively current connection distribution resource.It is held three times above-mentioned During hand, after server receives the SYN message segment of client's transmission, i.e., after the completion of shaking hands for the first time, server can be will The TCP connection of foundation distributes TCB resource.TCB(TCP control block, TCP control block) to contain TCP be each Connect all node informations of maintenance, the information such as serial number, window size, number of retransmissions including both direction.Each TCP Connection requires maintenance one TCB, each TCB and needs to occupy 140 bytes of storage space.TCP connection at this time does not have It completely sets up, referred to as half-open connection.This half-open connection only receives the ACK response message or connection time-out of client in server It just disconnects afterwards, and client can just distribute TCB resource, therefore this asymmetric money after receiving SYN ACK message Source allocation model can be utilized by attacker, form TCP SYN Flood attack.
As shown in fig. 6, attacker is initiated the connection using a not existing source IP address to destination server, it should Server response SYN ACK message in response, due to the destination address of response message be not attacker practically Location, so this address will be unable to respond server.Therefore, the last one step that TCP shakes hands will never may Occur, which is just constantly in half-open position and is released after connection time-out.If attacker is with being faster than server TCP The speed of time-out is connected, SYN message, all TCB resources of server continuously are sent to the open port of destination server It will all be consumed, so that it cannot receiving the normal connection request of other clients again.
Traditional prevention for TCP SYN Flood attack is mainly based upon newly-built connection speed and half-open connection number The Traffic anomaly detection of limitation, when half-open connection number of the source host to the destination host TCP connection speed initiated or foundation is super After crossing certain threshold value, afterflow rate after firewall will block.But the shortcomings that this method is that attack traffic and normal cannot be distinguished Flow, once detecting that TCP SYN Flood is attacked, subsequent all TCP messages will be dropped, and make server can not Respond the connection request of normal users.
TCP agent mechanism solves the above problem.Client is established by TCP agent request with shielded server When connection, TCP agent first verifies that whether the request of client is TCP SYN Flood attack.After being verified, client and TCP connection could be established between server, to avoid server under attack.
The mode of common realization TCP agency is SYN Cookie technology.It changes the strategy of resource allocation, leads to The legitimacy for checking TCP connection is crossed, ensure that conversational traffic just while filtering out malice connection message for server Often operation.
The principle and its detailed process of SYN Cookie technology have been the prior arts, are repeated no more.
However in practical applications, SYN Cookie technology has certain restrictions.Since SYN Cookie technology is final It is to carry out acting on behalf of realization to all connection messages between client and server by firewall, therefore it is required that firewall is set It is standby to be deployed in the critical path of protected server entrance and exit, guarantee what all clients were sent to server Message and server are required to the message that client is responded by the equipment.But in actual network environment, service The message that device responds client may be not through firewall.At this point, SYN Cookie technology just can not works fine.
For this purpose, the present invention uses improved Safe Reset technology, it is equally based on TCP agent mechanism, realizes TCP SYN Flood attack detecting and prevention.
Safe Reset technology is that firewall identifies legitimate client by being intervened normal TCP connection A kind of technology.Firewall handles the TCP negotiation packet for establishing connection, modifies the acknowledged sequence number of response message and makes it It carries authentication information (referred to as Cookie), then is reported by verifying the information carried in the negotiation packet that client responds Literary validation.
Firewall during using Safe Reset technical certification TCP connection, to the message of legitimate client into The normal forwarding of row, the newly-built connection message initiated the illegal client of false client and simple analog TCP protocol stack carry out Abandon, the SYN message that such server would not initiate for false or illegal client distributes connection resource, thus avoid by TCP SYN Flood attack.
The principle and its detailed process of Safe Reset technology have equally been the prior arts, are repeated no more.
The present invention is further to be promoted using the network communication performance after Safe Reset technology, is examined using Traffic Anomaly The method for combining TCP agent joint-action mechanism is surveyed, realizes the prevention attacked TCP SYN Flood.Traffic anomaly detection includes Two ways: the detection of half-open connection number and the detection of newly-built connection speed.
When malicious client, which initiates TCP SYN Flood to destination server, attacks, if malicious client uses Counterfeit source IP address, then can have a large amount of half-open connections on destination server.Meanwhile when Malicious clients are to target When server initiates TCP SYN Flood attack, regardless of Malicious clients are still used using the means of counterfeit source IP address The true address IP, the message that the result presented is just destined for server can increase significantly in a short time.Therefore, when by When the half-open connection number of machine or newly-built connection speed being protected to be more than certain threshold value, then it is believed that the machine receives TCP SYN Flood attack.
The process flow that TCP acts on behalf of joint-action mechanism is as shown in Figure 7.Attack detecting submodule receives external (firewall) The transmitting of message management module the safety zone direction Shang Chu TCP SYN message after, pass through and call external (firewall) The half-open connection number and newly-built connection speed for the interface polls purpose IP address that session management module provides, if being more than threshold value It is detected as TCP SYN Flood attack.After detecting attack, if enabling TCP agency, destination IP is added to Otherwise the protected IP address list of TCP agent sub-module is to lose according to the tactful returned packet processing result of current-configuration It abandons or lets pass, the interface outputting alarm log provided finally by the log management module outside calling.
After purpose IP address is added to protected IP address list, TCP agent sub-module application Safe Reset Technology is implemented to protect to it, intercept attack flow while not influencing normal discharge, realizes that TCP SYN Flood attack is anti- Model.
Following handle mainly is completed in the specific implementation of Safe Reset technology: being received client and is sent to server When SYN message, a Cookie value is generated according to message information, and using this value as acknowledged sequence number write-in SYN ACK report Text returns to client.If receiving the RST message of client's transmission, the Cookie value for verifying the carrying of its sequence number field is It is no legal, this connection is denoted as credible connection if legal, is otherwise denoted as insincere connection.
The process flow for receiving SYN message is as follows:
(1) it parses and extracts message four-tuple (source IP address, purpose IP address, source port, destination port);
(2) inquiry has passed through the four-tuple record of verifying, judges whether SYN message is credible;
(3) if SYN message is credible, continue to forward, otherwise construct the SYN ACK message of mistake and send.Wherein, The method of construction SYN ACK message is to modify the field of SYN message, be converted into SYN ACK message.Concrete operations It is for SYN message, to exchange its source IP and destination IP, exchange its source port and destination port, TCP is indicated SYN flag bit and ACK flag bit set calculate Cookie value, will confirm that serial number is set as Cookie value, finally adjust It is whole verification and.Just construction has got well the SYN ACK message for returning to client in this way.Wherein calculate the meter of Cookie value Calculation method is as follows:
Wherein Hash is a hash function, and the four-tuple of input is generated a hashed value.Using present system time as Timestamp is added in Cookie value, so as to subsequent connection legitimate verification.
The process flow for receiving RST message is as follows:
(1) it parses and extracts message four-tuple (source IP address, purpose IP address, source port, destination port);
(2) whether the serial number for verifying message is legal.Correct serial number should be the Cookie value calculated when receiving SYN message Add 1.
(3) if verifying is legal, then it is assumed that be credible connection, four-tuple is added in record, otherwise stop forwarding report Text.
Wherein, the whether legal method of verifying serial number is that the timestamp added before this is calculated from Cookie value, Subtracted each other with present system time and system time before, acquire a time interval, if this time is spaced in certain range Within, then it is assumed that it is legal acknowledged sequence number, if time interval has been more than certain range, then it is assumed that be illegal confirmation sequence Number.The calculation method for acquiring time interval is as follows:
Hash in formula (4.1) and formula (4.2) is the same hash function.Hash function can there are many definition modes, herein It need not be described in detail.

Claims (3)

1. a kind of firewall attack defense method, it is characterised in that:
The defence method is by the method for configuration attack-defending strategy, single packet attack detection and prevention method, scanning attack detection It is formed with prevention method, the detection of SYN flood attack with prevention method with prevention method, extensive aggression detection;
Configure attack-defending strategy method the following steps are included:
Receive configuration message;
Configuration parameter is parsed and extracted to configuration message, while validity checking is carried out to configuration parameter;
Miscue information is shown for illegal configuration, for legal configuration, the strategy application newly configured is made to come into force;
The detection of single packet attack with prevention method the following steps are included:
Receive message;
Message field (MFLD) is checked according to the strategy of current-configuration, judges the legitimacy of message;
It is to abandon or let pass according to the tactful returned packet processing result of current-configuration after detecting attack;
Outputting alarm log;
Scanning attack detection with prevention method the following steps are included:
Receive message;
The newly-built connection speed for inquiring source IP address judges whether to be more than threshold value;
It is to abandon or let pass according to the tactful returned packet processing result of current-configuration after detecting attack;
The address attacker IP is piped off;
Outputting alarm log;
Extensive aggression detection with prevention the following steps are included:
Receive message;
The newly-built connection speed for inquiring purpose IP address judges whether to be more than threshold value;
It is to abandon or let pass according to the tactful returned packet processing result of current-configuration after detecting attack;
Interface outputting alarm log;
SYN flood attack detection with prevention method the following steps are included:
Receive TCP SYN message;
The half-open connection number and newly-built connection speed for inquiring purpose IP address are detected as SYN flood if being more than threshold value and attack It hits;
After detecting attack, if enabling TCP agency, destination IP is added to protected IP address list, it is no It is then to abandon or let pass according to the tactful returned packet processing result of current-configuration;
Outputting alarm log.
2. attack defense method according to claim 1, it is characterised in that:
The SYN flood attack detection after purpose IP address is added to protected IP address list, is answered with prevention method Implement to protect with Safe Reset technology, intercept attack flow while not influencing normal discharge realizes SYN flood attack Prevention.
3. attack defense method according to claim 1, it is characterised in that:
By the way that an attack-defending module application is realized attack-defending strategy configuration processing and various network attacks in firewall Detection and by call firewall functional module interface take corresponding attack-defending measure, the firewall has safety District management, configuration management, message management, blacklist management, tactical management, log management and conversation management functional module, institute Stating attack-defending module includes configuration processing submodule, attack detecting submodule and TCP agent sub-module.
CN201810024379.8A 2018-01-11 2018-01-11 A kind of firewall attack defense method Pending CN109327426A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810024379.8A CN109327426A (en) 2018-01-11 2018-01-11 A kind of firewall attack defense method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810024379.8A CN109327426A (en) 2018-01-11 2018-01-11 A kind of firewall attack defense method

Publications (1)

Publication Number Publication Date
CN109327426A true CN109327426A (en) 2019-02-12

Family

ID=65263078

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810024379.8A Pending CN109327426A (en) 2018-01-11 2018-01-11 A kind of firewall attack defense method

Country Status (1)

Country Link
CN (1) CN109327426A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109962918A (en) * 2019-03-28 2019-07-02 烽火通信科技股份有限公司 A kind of method, system and the equipment of defensive attack message
CN110071939A (en) * 2019-05-05 2019-07-30 江苏亨通工控安全研究院有限公司 The improved method in industrial network is protected for traditional DDOS firewall SYN FLOOD
CN110120956A (en) * 2019-05-28 2019-08-13 杭州迪普科技股份有限公司 Message processing method and device based on virtual firewall
CN110532753A (en) * 2019-07-01 2019-12-03 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) The safety protecting method and equipment of train operation monitoring and recording device business data flow
CN111181850A (en) * 2019-08-12 2020-05-19 腾讯科技(深圳)有限公司 Data packet flooding suppression method, device and equipment and computer storage medium
CN111698214A (en) * 2020-05-15 2020-09-22 平安科技(深圳)有限公司 Network attack security processing method and device and computer equipment
CN111970308A (en) * 2020-09-03 2020-11-20 杭州安恒信息技术股份有限公司 Method, device and equipment for protecting SYN Flood attack
CN112242934A (en) * 2019-07-16 2021-01-19 北京华耀科技有限公司 RTT (round trip time) calculation method for TCP (Transmission control protocol) connection
CN112804220A (en) * 2020-12-31 2021-05-14 北京天融信网络安全技术有限公司 Firewall testing method and device, electronic equipment and storage medium
CN113810398A (en) * 2021-09-09 2021-12-17 新华三信息安全技术有限公司 Attack protection method, device, equipment and storage medium
CN114268458A (en) * 2021-11-23 2022-04-01 贵州电网有限责任公司 Protection method of safety protection module for terminal public network safety communication
CN114584338A (en) * 2021-12-31 2022-06-03 网络通信与安全紫金山实验室 Nftables-based white box switch security protection method and device and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101123492A (en) * 2007-09-06 2008-02-13 杭州华三通信技术有限公司 Method and device for detecting scanning attack
CN102291441A (en) * 2011-08-02 2011-12-21 杭州迪普科技有限公司 Method and security agent device for protecting against attack of synchronize (SYN) Flood
CN104468624A (en) * 2014-12-22 2015-03-25 上海斐讯数据通信技术有限公司 SDN controller, routing/switching device and network defending method
CN104519030A (en) * 2013-09-30 2015-04-15 西门子公司 Method and device for safety detection
CN105207997A (en) * 2015-08-19 2015-12-30 北京星网锐捷网络技术有限公司 Anti-attack message forwarding method and system
CN107438074A (en) * 2017-08-08 2017-12-05 北京神州绿盟信息安全科技股份有限公司 The means of defence and device of a kind of ddos attack

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101123492A (en) * 2007-09-06 2008-02-13 杭州华三通信技术有限公司 Method and device for detecting scanning attack
CN102291441A (en) * 2011-08-02 2011-12-21 杭州迪普科技有限公司 Method and security agent device for protecting against attack of synchronize (SYN) Flood
CN104519030A (en) * 2013-09-30 2015-04-15 西门子公司 Method and device for safety detection
CN104468624A (en) * 2014-12-22 2015-03-25 上海斐讯数据通信技术有限公司 SDN controller, routing/switching device and network defending method
CN105207997A (en) * 2015-08-19 2015-12-30 北京星网锐捷网络技术有限公司 Anti-attack message forwarding method and system
CN107438074A (en) * 2017-08-08 2017-12-05 北京神州绿盟信息安全科技股份有限公司 The means of defence and device of a kind of ddos attack

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109962918A (en) * 2019-03-28 2019-07-02 烽火通信科技股份有限公司 A kind of method, system and the equipment of defensive attack message
CN110071939A (en) * 2019-05-05 2019-07-30 江苏亨通工控安全研究院有限公司 The improved method in industrial network is protected for traditional DDOS firewall SYN FLOOD
CN110071939B (en) * 2019-05-05 2021-06-29 江苏亨通工控安全研究院有限公司 Improvement method for SYN FLOOD protection of traditional DDOS firewall in industrial network
CN110120956B (en) * 2019-05-28 2021-06-29 杭州迪普科技股份有限公司 Message processing method and device based on virtual firewall
CN110120956A (en) * 2019-05-28 2019-08-13 杭州迪普科技股份有限公司 Message processing method and device based on virtual firewall
CN110532753A (en) * 2019-07-01 2019-12-03 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) The safety protecting method and equipment of train operation monitoring and recording device business data flow
CN112242934B (en) * 2019-07-16 2022-10-11 北京华耀科技有限公司 RTT (round trip time) calculation method for TCP (Transmission control protocol) connection
CN112242934A (en) * 2019-07-16 2021-01-19 北京华耀科技有限公司 RTT (round trip time) calculation method for TCP (Transmission control protocol) connection
CN111181850B (en) * 2019-08-12 2022-03-11 腾讯科技(深圳)有限公司 Data packet flooding suppression method, device and equipment and computer storage medium
CN111181850A (en) * 2019-08-12 2020-05-19 腾讯科技(深圳)有限公司 Data packet flooding suppression method, device and equipment and computer storage medium
CN111698214A (en) * 2020-05-15 2020-09-22 平安科技(深圳)有限公司 Network attack security processing method and device and computer equipment
CN111970308A (en) * 2020-09-03 2020-11-20 杭州安恒信息技术股份有限公司 Method, device and equipment for protecting SYN Flood attack
CN112804220A (en) * 2020-12-31 2021-05-14 北京天融信网络安全技术有限公司 Firewall testing method and device, electronic equipment and storage medium
CN113810398A (en) * 2021-09-09 2021-12-17 新华三信息安全技术有限公司 Attack protection method, device, equipment and storage medium
CN113810398B (en) * 2021-09-09 2023-09-26 新华三信息安全技术有限公司 Attack protection method, device, equipment and storage medium
CN114268458A (en) * 2021-11-23 2022-04-01 贵州电网有限责任公司 Protection method of safety protection module for terminal public network safety communication
CN114584338A (en) * 2021-12-31 2022-06-03 网络通信与安全紫金山实验室 Nftables-based white box switch security protection method and device and storage medium
CN114584338B (en) * 2021-12-31 2024-03-26 网络通信与安全紫金山实验室 White box switch safety protection method and device based on Nftables and storage medium

Similar Documents

Publication Publication Date Title
CN109327426A (en) A kind of firewall attack defense method
Dayal et al. Research trends in security and DDoS in SDN
Jin et al. Hop-count filtering: an effective defense against spoofed DDoS traffic
US7478429B2 (en) Network overload detection and mitigation system and method
Abliz Internet denial of service attacks and defense mechanisms
Gu et al. Denial of service attacks
Prasad et al. An efficient detection of flooding attacks to Internet Threat Monitors (ITM) using entropy variations under low traffic
Anderson et al. Preventing Internet denial-of-service with capabilities
US7398317B2 (en) Thwarting connection-based denial of service attacks
US7043759B2 (en) Architecture to thwart denial of service attacks
US7836498B2 (en) Device to protect victim sites during denial of service attacks
Gupta et al. Defending against distributed denial of service attacks: issues and challenges
US20020032880A1 (en) Monitoring network traffic denial of service attacks
US20020032774A1 (en) Thwarting source address spoofing-based denial of service attacks
US20060256729A1 (en) Method and apparatus for identifying and disabling worms in communication networks
van Oorschot et al. Intrusion detection and network-based attacks
Amiri et al. Theoretical and experimental methods for defending against DDoS attacks
US20060225141A1 (en) Unauthorized access searching method and device
Djalaliev et al. Sentinel: hardware-accelerated mitigation of bot-based DDoS attacks
Mopari et al. Detection of DDoS attack and defense against IP spoofing
Park et al. An effective defense mechanism against DoS/DDoS attacks in flow-based routers
Aroua et al. A distributed and coordinated massive DDOS attack detection and response approach
Bojjagani et al. Early DDoS Detection and Prevention with Traced-Back Blocking in SDN Environment.
Peng Defending against distributed denial of service attacks
Zhang et al. Cooperative Mechanism Against DDoS Attacks.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20190212

WD01 Invention patent application deemed withdrawn after publication