CN109327426A - A kind of firewall attack defense method - Google Patents
A kind of firewall attack defense method Download PDFInfo
- Publication number
- CN109327426A CN109327426A CN201810024379.8A CN201810024379A CN109327426A CN 109327426 A CN109327426 A CN 109327426A CN 201810024379 A CN201810024379 A CN 201810024379A CN 109327426 A CN109327426 A CN 109327426A
- Authority
- CN
- China
- Prior art keywords
- attack
- configuration
- message
- tcp
- firewall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
Abstract
The present invention provides a kind of firewall attack defense method, its by by an attack-defending module application in the firewall for having had the functions such as the configuration management based on safety zone, message management and session management, realize network attack detection function, it is accurate to detect single packet attack, scanning attack and extensive aggression.Single packet attack specifically includes: the unreachable attack of ICMP redirection attack, ICMP, the attack of IP source routing option, the attack of route record option, Land attack, smurf attack, Fraggle attack, WinNuke attack.Scanning attack specifically includes: address scan attack, Port Scan Attacks.Extensive aggression includes: TCP SYN Flood attack, ICMP Flood attack, UDP Flood attack.After detecting network attack, corresponding precautionary measures, such as dropping packets, addition blacklist, outputting alarm log etc. are taken according to configuration.It realizes the Safe Reset technology under TCP agent joint-action mechanism, effectively defends TCP SYN Flood attack.
Description
Technical field
The invention belongs to network safety fileds, and in particular to a kind of firewall attack defense method.
Background technique
Network attack refers to using loophole existing for network and safety defect in the hardware, software and its system of network system
The attack that data carry out.With the extensive use of computer network, cyber-attack techniques are also evolving.The side of network attack
Formula and method have developed to the attack method of the exquisiteness of today, synthesis from coarse, the single attack method of early stage.Currently,
The upper common network attack of Internet is divided into following three classes: single packet attack, scanning attack and extensive aggression:
(1) single packet attack
Single packet attack is also known as abnormal packet attack.Attacker sends (such as fragment overlapping of defective IP message to target machine
IP message, the TCP message with illegal flag position etc.), since target machine can not correctly handle this IP like message,
Therefore lead to system crash.Another way is that attacker occupies network bandwidth, lead by sending a large amount of useless messages, malice
Cause network congestion.
(2) scanning attack attacker carries out host address to network with scanning tools or port is scanned, and passes through standard
The position for determining position potential target detects the network topology structure of goal systems and the service type of enabling, and utilizes and collected
Information implement further attack.
(3) extensive aggression
Extensive aggression is a kind of mode of DoS attack, including TCP SYN Flood attack and UDP Flood attack etc..
Attacker sends a large amount of spurious requests to goal systems in a short time, causes goal systems to be too tired to deal with garbage, greatly
Amount consumption keystone resources, can not provide normal service for legitimate user, that is, refusal service occurs.
In various network attacks, DoS attack becomes one of the most common type attack since its implementation is simple, destructive power is strong
Method.Data show that the DoS attack more than 90% is the loophole realization using TCP agreement, and TCP SYN Flood
Attack is using most common attack means.The system of upper any network service of the offer based on TCP of Internet, such as
Web server, FTP server and mail server are all easy to be attacked by TCP SYN Flood.Therefore, for SYN
The good prevention ability of Flood attack occupies very important effect in the allomeric function of firewall attack-defending.
Important means of the firewall as protection network security, should be able to effectively take precautions against various network attacks.In recent years, big rule
The emergence of mould attack, to firewall, more stringent requirements are proposed.With the extensive use and networking of firewall
The variation of environment, the tactful configuration mode of firewall also towards be easier to use, more efficient trend development.
Traditional firewall is based on Intranet/outer net mode, and firewall is between internal network and external network, as long as root
The configuration of security strategy is carried out according to the incoming interface and outgoing interface of network message.But with the continuous development of firewall, there is base
In the firewall deployment scheme of region division, i.e. Intranet/outer net/demilitarized zone DMZ() mode.Wherein, DMZ is a difference
In Intranet or the ad hoc network region of outer net, some public servicers without confidential information are usually placed in DMZ, such as
Web, Mail, FTP server etc..In this way, the service in the accessible DMZ of visitor from outer net, but be not readily accessible to
The Company Confidential being stored in Intranet or personal information etc. will not be in Intranets even if server is destroyed in DMZ
Confidential information impact.In such a mode, firewall is in trizonal center, is connected them with triangular pattern
Get up.
In this network environment based on region division, traditional tactful configuration mode based on interface needs to be each
A interface configures security strategy, and the maintenance workload of security strategy is multiplied, to also increase because configuration introduces safety
The probability of risk.Therefore, the concept of safety zone is introduced in Modern Firewall.(Security Zone) refers to for safety zone
The networked asset of same group of security attribute and the logic groups (sometimes and physical packets) of resource are shared, is that firewall implements plan
Omit the core element with configuration management.It introduces after the concept of safety zone, safety officer is by the identical interface of demand for security
Or the address IP is classified, and different safety zones is divided into, corresponding in real network structure Intranet, outer net and
The network areas such as DMZ.By the division of safety zone, the configuration of firewall can more flexiblely compared with network structure
It combines, the multi-zone supervision of implementation strategy, improves the convenience and safety of firewall policy configuration.
Many firewalls all provide three independent safety zones now: accredited safety zone (Trust), untrusted peace
Region-wide (Uuntrust) and Demilitarized Zone (DMZ).In addition to this it is possible to which addition is more safe according to actual needs
Region the various functions of firewall are realized by the configuration strategy on safety zone.
Although existing firewall has the functions such as configuration management, message management and session management based on safety zone,
It is to lack the comprehensive preventing function for being able to detect a plurality of types of attacks and taking attack the reasonable precautionary measures, it is difficult to
Using the various common network attacks of effective attack-defending technology Initiative Defense, network not can guarantee by more and more frequently
Attack in the case where can operate normally.Still lack the general safety solution of firewall in the prior art.
Summary of the invention
In view of the foregoing defects the prior art has, the present invention provides a kind of firewall attack defense method, realizes network attack
Detection, it is accurate to detect single packet attack, scanning attack and extensive aggression;After detecting network attack, taken accordingly according to configuration
The precautionary measures.
For achieving the above object the technical solution adopted by the present invention is that:
A kind of firewall attack defense method by the method for configuration attack-defending strategy, the detection of single packet attack and prevention method, is swept
Scanning attack detection is formed with prevention method, the detection of SYN flood attack with prevention method with prevention method, extensive aggression detection;
Configure attack-defending strategy method the following steps are included:
Receive configuration message;
Configuration parameter is parsed and extracted to configuration message, while validity checking is carried out to configuration parameter;
Miscue information is shown for illegal configuration, for legal configuration, the strategy application newly configured is made to come into force;
The detection of single packet attack with prevention method the following steps are included:
Receive message;
Message field (MFLD) is checked according to the strategy of current-configuration, judges the legitimacy of message;
It is to abandon or let pass according to the tactful returned packet processing result of current-configuration after detecting attack;
Outputting alarm log;
Scanning attack detection with prevention method the following steps are included:
Receive message;
The newly-built connection speed for inquiring source IP address judges whether to be more than threshold value;
It is to abandon or let pass according to the tactful returned packet processing result of current-configuration after detecting attack;
The address attacker IP is piped off;
Outputting alarm log;
Extensive aggression detection with prevention the following steps are included:
Receive message;
The newly-built connection speed for inquiring purpose IP address judges whether to be more than threshold value;
It is to abandon or let pass according to the tactful returned packet processing result of current-configuration after detecting attack;
Interface outputting alarm log;
SYN flood attack detection with prevention method the following steps are included:
Receive TCP SYN message;
The half-open connection number and newly-built connection speed for inquiring purpose IP address are detected as SYN flood if being more than threshold value and attack
It hits;
After detecting attack, if enabling TCP agency, destination IP is added to protected IP address list, it is no
It is then to abandon or let pass according to the tactful returned packet processing result of current-configuration;
Outputting alarm log.
With prevention method, purpose IP address is added to protected IP address list for the SYN flood attack detection
Afterwards, implement to protect using Safe Reset technology, intercept attack flow while not influencing normal discharge, realize SYN flood
Water attack-defending.
By the way that an attack-defending module application is realized attack-defending strategy configuration processing and various networks in firewall
The detection of attack simultaneously takes corresponding attack-defending measure by the functional module interface of calling firewall, and the firewall has
Safety zone management, configuration management, message management, blacklist management, tactical management, log management and conversation management functional mould
Block, the attack-defending module include configuration processing submodule, attack detecting submodule and TCP agent sub-module.
The significant beneficial effect that the present invention obtains is:
The present invention is able to detect a plurality of types of attacks and takes the reasonable precautionary measures to attack;
Gear is acted on behalf of by using improved Safe Reset technology, and in conjunction with the TCP based on Traffic anomaly detection
System more efficiently and steadily realizes SYN Flood attack-defending.
Detailed description of the invention
Fig. 1 is attack-defending module and external module relational graph;
Fig. 2 is configuration strategy process flow diagram;
Fig. 3 is single packet attack detection and prevention process flow diagram;
Fig. 4 is scanning attack detection and prevention process flow diagram;
Fig. 5 is extensive aggression detection and prevention process flow diagram;
Fig. 6 is TCP SYN Flood Attack Theory figure;
Fig. 7 is that TCP acts on behalf of joint-action mechanism process flow diagram.
Specific embodiment
The present invention is further described in detail below with reference to the accompanying drawings and embodiments.It should be appreciated that described herein
Specific embodiment is only used to explain the present invention, is not intended to limit the present invention.
The present invention provides a kind of firewall defence method, by by an attack-defending module application in had based on peace
The firewall of the functions such as region-wide configuration management, message management and session management is realized, can be realized network attack detection, essence
Really detect single packet attack, scanning attack and extensive aggression.Single packet attack specifically includes: ICMP redirection attack, ICMP can not
It is attacked up to attack, the attack of IP source routing option, the attack of route record option, Land attack, Smurf attack, Fraggle
It hits, WinNuke attack.Scanning attack specifically includes: address scan attack, Port Scan Attacks.Extensive aggression includes: TCP
SYN Flood attack, ICMP Flood attack, UDP Flood attack.After detecting network attack, phase is taken according to configuration
The precautionary measures answered, such as dropping packets, addition blacklist, outputting alarm log etc..Realize that TCP is acted on behalf of under joint-action mechanism
Safe Reset technology, effectively defend TCP SYN Flood attack.
The present invention is based on the attack-defending module of the firewall of safety zone (abbreviation attack-defending module) realizations, are integrated in
Firewall mainly realizes attack-defending strategy configuration processing and the detection of various network attacks and by calling external module
(functional module of firewall) interface takes corresponding attack-defending measure.The firewall has had safety zone management, has matched
Set the functions such as management, message management, blacklist management, tactical management, log management and session management.Attack-defending module and outer
Connection, the communication of portion's module interface use conventional manner, repeat no more.Entire attack-defending module includes configuration processing
Module, attack detecting submodule and TCP agent sub-module.Wherein, since TCP SYN Flood attack-defending is needed to adopt
Realize that principle is more complicated, so TCP agent functionality is divided with the TCP agent way of Safe Reset technology
For individual submodule.After attack detecting submodule detects TCP SYN Flood attack, TCP agent sub-module is notified
Enable TCP agent functionality, defence TCP SYN Flood attack.
Between configuration processing submodule, attack detecting submodule and TCP agent sub-module, and entire attack-defending mould
Relationship between block and external module is as shown in Figure 1:
The data flow of each intermodule is as follows:
D1: configuration message.When administrator configures attack-defending strategy by user interface, configuration is disappeared by configuration management module
Breath passes to attack-defending module, and attack-defending module is according to configuration to subsequent application of electronic report strategy.
D2: configure processing returns to data.Attack-defending module returns to the configuration processing result of configuration management module.
D3: safety zone information.Attack-defending module needs to specify from the acquisition of safety zone module in output journal
The relevant information of safety zone.
D4: original attack-defending policy information.Attack-defending module is needed when checking message from tactical management mould
Block obtains the attack-defending policy information on the affiliated safety zone of message.
D5: the attack-defending policy information of update.When administrator configures attack-defending strategy by user interface, by attacking
It hits prevention module and new policy information is passed into policy management module, policy management module is responsible for updating policy information.
D6: session information.Detection for scanning attack and extensive aggression, attack-defending module are needed from session management mould
Block inquires session information, obtains the half-open connection number and newly-built connection speed that the address IP is specified on network.
D7: the session status of update.After attack-defending module detects attack, the corresponding precautionary measures are taken, are needed sometimes
Update session status.
D8: received message data.Attack-defending module carries out validity checking to the received message of firewall.
D9: the message data of forwarding.By the message of attack-defending module check, certain fields therein may need to repair
Change, the message of clearance is continued directly to forward.
D10: the entry information to pipe off.It, can be by the address IP of attacker for the scanning attack detected
It pipes off, at the appointed time all messages of the inner shield from the host.
D11: the log information of output.When detecting attack, by current time, attack type, source host and destination host
Information etc. is output in log.
D12: configuration parameter.The configuration message that configuration management submodule is transmitted by parsing exterior arrangement management module, if
Configuration parameter is set, attack detecting submodule is passed to, makes it using corresponding function.
D13: shielded host information.After attack detecting submodule detects TCP SYN Flood attack, enable
TCP acts on behalf of joint-action mechanism, target of attack host is included in protected host, TCP proxy module utilizes Safe Reset skill
Art is protected host implementation defence.
The main process flow of attack-defending is as follows:
(1) process flow of attack-defending strategy is configured
Administrator can configure firewall attack-defending strategy by order line and Web page two ways.Attack-defending mould
The configurable policy content of block includes: the single packet attack of creation, deletion and modification, scanning attack and extensive aggression Precaution Tactics.It attacks
The attribute setting for hitting Precaution Tactics includes the enabled and dependent thresholds of the safety zone of application strategy, various specific attack detectings
Setting, and detect the precautionary measures etc. that need to take after attack.Wherein, the precautionary measures include outputting alarm log, lose
It abandons attack message and attack IP pipes off.In addition to this, TCP SYN Flood is attacked, can also be set
Enabling TCP agent functionality is set to be taken precautions against.
The processing for configuring attack-defending strategy is mainly completed by configuration processing submodule, and process flow is as shown in Figure 2.
After configuration processing submodule receives the configuration message of exterior arrangement management module transmitting, it is parsed and extracts configuration ginseng
Number, while validity checking is carried out to configuration parameter, miscue information is shown for illegal configuration, legal is matched
It sets, first in control plane more new strategy, configuration is correspondingly then handed down to attack detecting submodule, makes the plan newly configured
Slightly application comes into force.
(2) process flow of single packet attack detection and prevention
If administrator is configured with single packet attack Precaution Tactics on some safety zone, attack detecting submodule will be received
The message in the safety zone direction Shang Ru, and message is checked according to the strategy of current-configuration.Administrator can configure different types of
The detection enabled state of single packet attack can selectively take precautions against various single packet attacks.If it find that message has
Attack signature then takes the precautionary measures.If administrator is configured in strategy detects attack packet loss, attack report is abandoned
Text, attack message of otherwise letting pass.If not detecting any attack signature, then it is assumed that be normal message, directly let pass simultaneously
Continue to forward.As long as detecting attack, no matter attack message is dropped or is cleared, will outputting alarm log, prompt inspection
The filter action etc. that the relevant information and firewall of the attack type, attack message that measure are taken.
The process flow of single packet attack detection and prevention is as shown in Figure 3.Attack detecting submodule receives external message
After the message in the safety zone direction Shang Ru of management module transmitting, message field (MFLD) is checked according to the strategy of current-configuration, judges to report
The legitimacy of text.After detecting attack, it is to abandon or let pass according to the tactful returned packet processing result of current-configuration, finally leads to
The interface outputting alarm log that the log management module crossed outside calling provides.
(3) process flow of scanning attack detection and prevention
If administrator is configured with scanning attack Precaution Tactics on some safety zone, attack detecting submodule will be received
The message in the safety zone direction Shang Ru, and source IP address is parsed from message, inquire the newly-built connection of source IP address
Rate, the newly-built connection speed threshold value that administrator if more than configures in strategy, then it is assumed that this message is scanning attack report
Text.For scanning attack, firewall can force to abandon attack message, and whether administrator cannot be to abandoning attack message and match
It sets.In addition, if strategy configuration pipes off the attack address IP, then the source IP address of attack message is included in black name
It is single.Within a certain period of time, the message that source IP address is put on the blacklist will be all simply discarded.If message source IP
The newly-built connection speed of location is not above the threshold value of strategy configuration, then it is assumed that is normal message, directly lets pass and continue to forward.
As long as finally, detect scanning attack, will outputting alarm log, prompt the attack type detected, the correlation of attack message
The filter action etc. that information and firewall are taken.
Scanning attack detection and the process flow of prevention are as shown in Figure 4.Attack detecting submodule receives external message
After the message in the safety zone direction Shang Ru of management module transmitting, pass through the interface of the session management module offer outside calling
The newly-built connection speed for inquiring source IP address judges whether to be more than threshold value.After detecting attack, according to the plan of current-configuration
Slightly returned packet processing result is to abandon or let pass, and will be attacked by the interface that the blacklist management module outside calling provides
The address the person of hitting IP pipes off, the interface outputting alarm log provided finally by the log management module outside calling.
(4) process flow of extensive aggression detection and prevention
If administrator is configured with extensive aggression Precaution Tactics on some safety zone, attack detecting submodule will be received
To the message in the safety zone direction Shang Chu, and purpose IP address is parsed from message, then judge type of message, if
For non-TCP SYN message, then the newly-built connection speed of purpose IP address is inquired, if rate is more than that administrator sets in strategy
Fixed threshold value, then it is assumed that be extensive aggression, and attack message is executed according to strategy configuration and abandons or lets pass.For being determined as
Normal message then directly lets pass and continues to forward.As long as detecting extensive aggression, will outputting alarm log, prompt detection
The filter action etc. that the relevant information and firewall of the attack type, attack message that arrive are taken.
Extensive aggression detection and the process flow of prevention are as shown in Figure 5.Attack detecting submodule receives external message
After the message in the safety zone direction Shang Chu of management module transmitting, looked by the interface that the session management module outside calling provides
The newly-built connection speed for asking purpose IP address judges whether to be more than threshold value.After detecting attack, according to the strategy of current-configuration
Returned packet processing result is to abandon or let pass, the interface outputting alarm provided finally by the log management module outside calling
Log.
(5) TCP SYN Flood(is also referred to as SYN flood attack) attack detecting and prevention process flow
In extensive aggression, TCP SYN Flood attack is most difficult to handle, and detects to it and acts on behalf of gear using TCP with prevention
System and Safe Reset technology.
TCP SYN Flood attack is a kind of most common DDoS attack pattern, it was established using TCP connection
The defects of journey, by sending the TCP connection request largely forged, so that by attacker's resource exhaustion, to can not handle
Normal clients request.It, which is attacked, realizes simply, but is difficult to detect.This is because attack traffic and normal discharge are mutually to mix
, it is difficult to correct to distinguish, the feature that attack traffic is not fixed can not be identified by feature database mode.Usually TCP is connected
The process for connecing foundation is known as " TCP three-way handshake ", and specific steps can compactly be summarized are as follows: (1) objective user orientation server is sent
SYN message;(2) server returns to SYN ACK message to client;(3) client returns to ACK message to server again.
In TCP connection establishment process, client and server are respectively current connection distribution resource.It is held three times above-mentioned
During hand, after server receives the SYN message segment of client's transmission, i.e., after the completion of shaking hands for the first time, server can be will
The TCP connection of foundation distributes TCB resource.TCB(TCP control block, TCP control block) to contain TCP be each
Connect all node informations of maintenance, the information such as serial number, window size, number of retransmissions including both direction.Each TCP
Connection requires maintenance one TCB, each TCB and needs to occupy 140 bytes of storage space.TCP connection at this time does not have
It completely sets up, referred to as half-open connection.This half-open connection only receives the ACK response message or connection time-out of client in server
It just disconnects afterwards, and client can just distribute TCB resource, therefore this asymmetric money after receiving SYN ACK message
Source allocation model can be utilized by attacker, form TCP SYN Flood attack.
As shown in fig. 6, attacker is initiated the connection using a not existing source IP address to destination server, it should
Server response SYN ACK message in response, due to the destination address of response message be not attacker practically
Location, so this address will be unable to respond server.Therefore, the last one step that TCP shakes hands will never may
Occur, which is just constantly in half-open position and is released after connection time-out.If attacker is with being faster than server TCP
The speed of time-out is connected, SYN message, all TCB resources of server continuously are sent to the open port of destination server
It will all be consumed, so that it cannot receiving the normal connection request of other clients again.
Traditional prevention for TCP SYN Flood attack is mainly based upon newly-built connection speed and half-open connection number
The Traffic anomaly detection of limitation, when half-open connection number of the source host to the destination host TCP connection speed initiated or foundation is super
After crossing certain threshold value, afterflow rate after firewall will block.But the shortcomings that this method is that attack traffic and normal cannot be distinguished
Flow, once detecting that TCP SYN Flood is attacked, subsequent all TCP messages will be dropped, and make server can not
Respond the connection request of normal users.
TCP agent mechanism solves the above problem.Client is established by TCP agent request with shielded server
When connection, TCP agent first verifies that whether the request of client is TCP SYN Flood attack.After being verified, client and
TCP connection could be established between server, to avoid server under attack.
The mode of common realization TCP agency is SYN Cookie technology.It changes the strategy of resource allocation, leads to
The legitimacy for checking TCP connection is crossed, ensure that conversational traffic just while filtering out malice connection message for server
Often operation.
The principle and its detailed process of SYN Cookie technology have been the prior arts, are repeated no more.
However in practical applications, SYN Cookie technology has certain restrictions.Since SYN Cookie technology is final
It is to carry out acting on behalf of realization to all connection messages between client and server by firewall, therefore it is required that firewall is set
It is standby to be deployed in the critical path of protected server entrance and exit, guarantee what all clients were sent to server
Message and server are required to the message that client is responded by the equipment.But in actual network environment, service
The message that device responds client may be not through firewall.At this point, SYN Cookie technology just can not works fine.
For this purpose, the present invention uses improved Safe Reset technology, it is equally based on TCP agent mechanism, realizes TCP
SYN Flood attack detecting and prevention.
Safe Reset technology is that firewall identifies legitimate client by being intervened normal TCP connection
A kind of technology.Firewall handles the TCP negotiation packet for establishing connection, modifies the acknowledged sequence number of response message and makes it
It carries authentication information (referred to as Cookie), then is reported by verifying the information carried in the negotiation packet that client responds
Literary validation.
Firewall during using Safe Reset technical certification TCP connection, to the message of legitimate client into
The normal forwarding of row, the newly-built connection message initiated the illegal client of false client and simple analog TCP protocol stack carry out
Abandon, the SYN message that such server would not initiate for false or illegal client distributes connection resource, thus avoid by
TCP SYN Flood attack.
The principle and its detailed process of Safe Reset technology have equally been the prior arts, are repeated no more.
The present invention is further to be promoted using the network communication performance after Safe Reset technology, is examined using Traffic Anomaly
The method for combining TCP agent joint-action mechanism is surveyed, realizes the prevention attacked TCP SYN Flood.Traffic anomaly detection includes
Two ways: the detection of half-open connection number and the detection of newly-built connection speed.
When malicious client, which initiates TCP SYN Flood to destination server, attacks, if malicious client uses
Counterfeit source IP address, then can have a large amount of half-open connections on destination server.Meanwhile when Malicious clients are to target
When server initiates TCP SYN Flood attack, regardless of Malicious clients are still used using the means of counterfeit source IP address
The true address IP, the message that the result presented is just destined for server can increase significantly in a short time.Therefore, when by
When the half-open connection number of machine or newly-built connection speed being protected to be more than certain threshold value, then it is believed that the machine receives TCP SYN
Flood attack.
The process flow that TCP acts on behalf of joint-action mechanism is as shown in Figure 7.Attack detecting submodule receives external (firewall)
The transmitting of message management module the safety zone direction Shang Chu TCP SYN message after, pass through and call external (firewall)
The half-open connection number and newly-built connection speed for the interface polls purpose IP address that session management module provides, if being more than threshold value
It is detected as TCP SYN Flood attack.After detecting attack, if enabling TCP agency, destination IP is added to
Otherwise the protected IP address list of TCP agent sub-module is to lose according to the tactful returned packet processing result of current-configuration
It abandons or lets pass, the interface outputting alarm log provided finally by the log management module outside calling.
After purpose IP address is added to protected IP address list, TCP agent sub-module application Safe Reset
Technology is implemented to protect to it, intercept attack flow while not influencing normal discharge, realizes that TCP SYN Flood attack is anti-
Model.
Following handle mainly is completed in the specific implementation of Safe Reset technology: being received client and is sent to server
When SYN message, a Cookie value is generated according to message information, and using this value as acknowledged sequence number write-in SYN ACK report
Text returns to client.If receiving the RST message of client's transmission, the Cookie value for verifying the carrying of its sequence number field is
It is no legal, this connection is denoted as credible connection if legal, is otherwise denoted as insincere connection.
The process flow for receiving SYN message is as follows:
(1) it parses and extracts message four-tuple (source IP address, purpose IP address, source port, destination port);
(2) inquiry has passed through the four-tuple record of verifying, judges whether SYN message is credible;
(3) if SYN message is credible, continue to forward, otherwise construct the SYN ACK message of mistake and send.Wherein,
The method of construction SYN ACK message is to modify the field of SYN message, be converted into SYN ACK message.Concrete operations
It is for SYN message, to exchange its source IP and destination IP, exchange its source port and destination port, TCP is indicated
SYN flag bit and ACK flag bit set calculate Cookie value, will confirm that serial number is set as Cookie value, finally adjust
It is whole verification and.Just construction has got well the SYN ACK message for returning to client in this way.Wherein calculate the meter of Cookie value
Calculation method is as follows:
Wherein Hash is a hash function, and the four-tuple of input is generated a hashed value.Using present system time as
Timestamp is added in Cookie value, so as to subsequent connection legitimate verification.
The process flow for receiving RST message is as follows:
(1) it parses and extracts message four-tuple (source IP address, purpose IP address, source port, destination port);
(2) whether the serial number for verifying message is legal.Correct serial number should be the Cookie value calculated when receiving SYN message
Add 1.
(3) if verifying is legal, then it is assumed that be credible connection, four-tuple is added in record, otherwise stop forwarding report
Text.
Wherein, the whether legal method of verifying serial number is that the timestamp added before this is calculated from Cookie value,
Subtracted each other with present system time and system time before, acquire a time interval, if this time is spaced in certain range
Within, then it is assumed that it is legal acknowledged sequence number, if time interval has been more than certain range, then it is assumed that be illegal confirmation sequence
Number.The calculation method for acquiring time interval is as follows:
Hash in formula (4.1) and formula (4.2) is the same hash function.Hash function can there are many definition modes, herein
It need not be described in detail.
Claims (3)
1. a kind of firewall attack defense method, it is characterised in that:
The defence method is by the method for configuration attack-defending strategy, single packet attack detection and prevention method, scanning attack detection
It is formed with prevention method, the detection of SYN flood attack with prevention method with prevention method, extensive aggression detection;
Configure attack-defending strategy method the following steps are included:
Receive configuration message;
Configuration parameter is parsed and extracted to configuration message, while validity checking is carried out to configuration parameter;
Miscue information is shown for illegal configuration, for legal configuration, the strategy application newly configured is made to come into force;
The detection of single packet attack with prevention method the following steps are included:
Receive message;
Message field (MFLD) is checked according to the strategy of current-configuration, judges the legitimacy of message;
It is to abandon or let pass according to the tactful returned packet processing result of current-configuration after detecting attack;
Outputting alarm log;
Scanning attack detection with prevention method the following steps are included:
Receive message;
The newly-built connection speed for inquiring source IP address judges whether to be more than threshold value;
It is to abandon or let pass according to the tactful returned packet processing result of current-configuration after detecting attack;
The address attacker IP is piped off;
Outputting alarm log;
Extensive aggression detection with prevention the following steps are included:
Receive message;
The newly-built connection speed for inquiring purpose IP address judges whether to be more than threshold value;
It is to abandon or let pass according to the tactful returned packet processing result of current-configuration after detecting attack;
Interface outputting alarm log;
SYN flood attack detection with prevention method the following steps are included:
Receive TCP SYN message;
The half-open connection number and newly-built connection speed for inquiring purpose IP address are detected as SYN flood if being more than threshold value and attack
It hits;
After detecting attack, if enabling TCP agency, destination IP is added to protected IP address list, it is no
It is then to abandon or let pass according to the tactful returned packet processing result of current-configuration;
Outputting alarm log.
2. attack defense method according to claim 1, it is characterised in that:
The SYN flood attack detection after purpose IP address is added to protected IP address list, is answered with prevention method
Implement to protect with Safe Reset technology, intercept attack flow while not influencing normal discharge realizes SYN flood attack
Prevention.
3. attack defense method according to claim 1, it is characterised in that:
By the way that an attack-defending module application is realized attack-defending strategy configuration processing and various network attacks in firewall
Detection and by call firewall functional module interface take corresponding attack-defending measure, the firewall has safety
District management, configuration management, message management, blacklist management, tactical management, log management and conversation management functional module, institute
Stating attack-defending module includes configuration processing submodule, attack detecting submodule and TCP agent sub-module.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810024379.8A CN109327426A (en) | 2018-01-11 | 2018-01-11 | A kind of firewall attack defense method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810024379.8A CN109327426A (en) | 2018-01-11 | 2018-01-11 | A kind of firewall attack defense method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109327426A true CN109327426A (en) | 2019-02-12 |
Family
ID=65263078
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810024379.8A Pending CN109327426A (en) | 2018-01-11 | 2018-01-11 | A kind of firewall attack defense method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109327426A (en) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109962918A (en) * | 2019-03-28 | 2019-07-02 | 烽火通信科技股份有限公司 | A kind of method, system and the equipment of defensive attack message |
CN110071939A (en) * | 2019-05-05 | 2019-07-30 | 江苏亨通工控安全研究院有限公司 | The improved method in industrial network is protected for traditional DDOS firewall SYN FLOOD |
CN110120956A (en) * | 2019-05-28 | 2019-08-13 | 杭州迪普科技股份有限公司 | Message processing method and device based on virtual firewall |
CN110532753A (en) * | 2019-07-01 | 2019-12-03 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | The safety protecting method and equipment of train operation monitoring and recording device business data flow |
CN111181850A (en) * | 2019-08-12 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Data packet flooding suppression method, device and equipment and computer storage medium |
CN111698214A (en) * | 2020-05-15 | 2020-09-22 | 平安科技(深圳)有限公司 | Network attack security processing method and device and computer equipment |
CN111970308A (en) * | 2020-09-03 | 2020-11-20 | 杭州安恒信息技术股份有限公司 | Method, device and equipment for protecting SYN Flood attack |
CN112242934A (en) * | 2019-07-16 | 2021-01-19 | 北京华耀科技有限公司 | RTT (round trip time) calculation method for TCP (Transmission control protocol) connection |
CN112804220A (en) * | 2020-12-31 | 2021-05-14 | 北京天融信网络安全技术有限公司 | Firewall testing method and device, electronic equipment and storage medium |
CN113810398A (en) * | 2021-09-09 | 2021-12-17 | 新华三信息安全技术有限公司 | Attack protection method, device, equipment and storage medium |
CN114268458A (en) * | 2021-11-23 | 2022-04-01 | 贵州电网有限责任公司 | Protection method of safety protection module for terminal public network safety communication |
CN114584338A (en) * | 2021-12-31 | 2022-06-03 | 网络通信与安全紫金山实验室 | Nftables-based white box switch security protection method and device and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101123492A (en) * | 2007-09-06 | 2008-02-13 | 杭州华三通信技术有限公司 | Method and device for detecting scanning attack |
CN102291441A (en) * | 2011-08-02 | 2011-12-21 | 杭州迪普科技有限公司 | Method and security agent device for protecting against attack of synchronize (SYN) Flood |
CN104468624A (en) * | 2014-12-22 | 2015-03-25 | 上海斐讯数据通信技术有限公司 | SDN controller, routing/switching device and network defending method |
CN104519030A (en) * | 2013-09-30 | 2015-04-15 | 西门子公司 | Method and device for safety detection |
CN105207997A (en) * | 2015-08-19 | 2015-12-30 | 北京星网锐捷网络技术有限公司 | Anti-attack message forwarding method and system |
CN107438074A (en) * | 2017-08-08 | 2017-12-05 | 北京神州绿盟信息安全科技股份有限公司 | The means of defence and device of a kind of ddos attack |
-
2018
- 2018-01-11 CN CN201810024379.8A patent/CN109327426A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101123492A (en) * | 2007-09-06 | 2008-02-13 | 杭州华三通信技术有限公司 | Method and device for detecting scanning attack |
CN102291441A (en) * | 2011-08-02 | 2011-12-21 | 杭州迪普科技有限公司 | Method and security agent device for protecting against attack of synchronize (SYN) Flood |
CN104519030A (en) * | 2013-09-30 | 2015-04-15 | 西门子公司 | Method and device for safety detection |
CN104468624A (en) * | 2014-12-22 | 2015-03-25 | 上海斐讯数据通信技术有限公司 | SDN controller, routing/switching device and network defending method |
CN105207997A (en) * | 2015-08-19 | 2015-12-30 | 北京星网锐捷网络技术有限公司 | Anti-attack message forwarding method and system |
CN107438074A (en) * | 2017-08-08 | 2017-12-05 | 北京神州绿盟信息安全科技股份有限公司 | The means of defence and device of a kind of ddos attack |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109962918A (en) * | 2019-03-28 | 2019-07-02 | 烽火通信科技股份有限公司 | A kind of method, system and the equipment of defensive attack message |
CN110071939A (en) * | 2019-05-05 | 2019-07-30 | 江苏亨通工控安全研究院有限公司 | The improved method in industrial network is protected for traditional DDOS firewall SYN FLOOD |
CN110071939B (en) * | 2019-05-05 | 2021-06-29 | 江苏亨通工控安全研究院有限公司 | Improvement method for SYN FLOOD protection of traditional DDOS firewall in industrial network |
CN110120956B (en) * | 2019-05-28 | 2021-06-29 | 杭州迪普科技股份有限公司 | Message processing method and device based on virtual firewall |
CN110120956A (en) * | 2019-05-28 | 2019-08-13 | 杭州迪普科技股份有限公司 | Message processing method and device based on virtual firewall |
CN110532753A (en) * | 2019-07-01 | 2019-12-03 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | The safety protecting method and equipment of train operation monitoring and recording device business data flow |
CN112242934B (en) * | 2019-07-16 | 2022-10-11 | 北京华耀科技有限公司 | RTT (round trip time) calculation method for TCP (Transmission control protocol) connection |
CN112242934A (en) * | 2019-07-16 | 2021-01-19 | 北京华耀科技有限公司 | RTT (round trip time) calculation method for TCP (Transmission control protocol) connection |
CN111181850B (en) * | 2019-08-12 | 2022-03-11 | 腾讯科技(深圳)有限公司 | Data packet flooding suppression method, device and equipment and computer storage medium |
CN111181850A (en) * | 2019-08-12 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Data packet flooding suppression method, device and equipment and computer storage medium |
CN111698214A (en) * | 2020-05-15 | 2020-09-22 | 平安科技(深圳)有限公司 | Network attack security processing method and device and computer equipment |
CN111970308A (en) * | 2020-09-03 | 2020-11-20 | 杭州安恒信息技术股份有限公司 | Method, device and equipment for protecting SYN Flood attack |
CN112804220A (en) * | 2020-12-31 | 2021-05-14 | 北京天融信网络安全技术有限公司 | Firewall testing method and device, electronic equipment and storage medium |
CN113810398A (en) * | 2021-09-09 | 2021-12-17 | 新华三信息安全技术有限公司 | Attack protection method, device, equipment and storage medium |
CN113810398B (en) * | 2021-09-09 | 2023-09-26 | 新华三信息安全技术有限公司 | Attack protection method, device, equipment and storage medium |
CN114268458A (en) * | 2021-11-23 | 2022-04-01 | 贵州电网有限责任公司 | Protection method of safety protection module for terminal public network safety communication |
CN114584338A (en) * | 2021-12-31 | 2022-06-03 | 网络通信与安全紫金山实验室 | Nftables-based white box switch security protection method and device and storage medium |
CN114584338B (en) * | 2021-12-31 | 2024-03-26 | 网络通信与安全紫金山实验室 | White box switch safety protection method and device based on Nftables and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109327426A (en) | A kind of firewall attack defense method | |
Dayal et al. | Research trends in security and DDoS in SDN | |
Jin et al. | Hop-count filtering: an effective defense against spoofed DDoS traffic | |
US7478429B2 (en) | Network overload detection and mitigation system and method | |
Abliz | Internet denial of service attacks and defense mechanisms | |
Gu et al. | Denial of service attacks | |
Prasad et al. | An efficient detection of flooding attacks to Internet Threat Monitors (ITM) using entropy variations under low traffic | |
Anderson et al. | Preventing Internet denial-of-service with capabilities | |
US7398317B2 (en) | Thwarting connection-based denial of service attacks | |
US7043759B2 (en) | Architecture to thwart denial of service attacks | |
US7836498B2 (en) | Device to protect victim sites during denial of service attacks | |
Gupta et al. | Defending against distributed denial of service attacks: issues and challenges | |
US20020032880A1 (en) | Monitoring network traffic denial of service attacks | |
US20020032774A1 (en) | Thwarting source address spoofing-based denial of service attacks | |
US20060256729A1 (en) | Method and apparatus for identifying and disabling worms in communication networks | |
van Oorschot et al. | Intrusion detection and network-based attacks | |
Amiri et al. | Theoretical and experimental methods for defending against DDoS attacks | |
US20060225141A1 (en) | Unauthorized access searching method and device | |
Djalaliev et al. | Sentinel: hardware-accelerated mitigation of bot-based DDoS attacks | |
Mopari et al. | Detection of DDoS attack and defense against IP spoofing | |
Park et al. | An effective defense mechanism against DoS/DDoS attacks in flow-based routers | |
Aroua et al. | A distributed and coordinated massive DDOS attack detection and response approach | |
Bojjagani et al. | Early DDoS Detection and Prevention with Traced-Back Blocking in SDN Environment. | |
Peng | Defending against distributed denial of service attacks | |
Zhang et al. | Cooperative Mechanism Against DDoS Attacks. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20190212 |
|
WD01 | Invention patent application deemed withdrawn after publication |