CN109561109A - A kind of message processing method and device - Google Patents

A kind of message processing method and device Download PDF

Info

Publication number
CN109561109A
CN109561109A CN201910040932.1A CN201910040932A CN109561109A CN 109561109 A CN109561109 A CN 109561109A CN 201910040932 A CN201910040932 A CN 201910040932A CN 109561109 A CN109561109 A CN 109561109A
Authority
CN
China
Prior art keywords
address
source address
attack
tcp connection
name list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910040932.1A
Other languages
Chinese (zh)
Inventor
杨宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201910040932.1A priority Critical patent/CN109561109A/en
Publication of CN109561109A publication Critical patent/CN109561109A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud

Abstract

The embodiment of the present application provides a kind of message processing method and device, wherein the message processing method includes: the request message received for requesting TCP connection, and the source address of acquisition request message;It inquires in preset dynamic attacks parent name list with the presence or absence of the address with source address matches;If it exists, then cancel and TCP connection is established based on request message.Pass through technical solution provided by the embodiments of the present application, pass through the dynamic attacks parent name list stored in AC, TCP connection is established with limitation attack address and AC, and then limit HTTP/HTTPS message amount of the client to AC request certification page, so that the quantity that client gets the URL of Portal server is reduced, the quantity that client initiates request to Portal server is further limited.The number of requests that Portal server handles client is reduced, and is occupied resource and is reduced, so that Portal server can provide normal service.

Description

A kind of message processing method and device
Technical field
This application involves fields of communication technology, more particularly to a kind of message processing method and device.
Background technique
Portal certification is that a kind of mode of authentication is carried out to user.When AC (Access Controller, wirelessly Controller) using Portal certification when, need AC interface or radio port configure Portal filtering rule.Utilize this Portal filtering rule, by the interaction between client, to achieve the purpose that carry out user identity authentication.
Specifically, TCP (Transmission Control is established between client and AC by way of three-way handshake Protocol, transmission control protocol) connection.Wherein, during three-way handshake, AC is according to the Portal filtering rule configured The message then sent to client matches, and client could establish TCP connection with AC only in the case where successful match.? After TCP connection is established, by TCP connection, client sends the HTTP/HTTPS message of request certification page to AC.AC according to Received HTTP/HTTPS message carries URL (the Uniform Resource of Portal server to client feedback Locator, uniform resource locator) HTTP/HTTPS message.In this way, client gets the URL of Portal server, and The request for requesting certification page is initiated to Portal server according to URL, it can be on certification page after requesting successfully Carry out correspondingly authentication.
During carrying out three-way handshake between client and AC, client is interacted by a port and AC , client passes through the port after completing three-way handshake and AC establishes a TCP connection.
For normal client, a client can only send limited a small amount of request within a certain period of time and recognize The HTTP/HTTPS message for demonstrate,proving the page also can only feed back the HTTP/HTTPS message for carrying URL of respective numbers to AC, AC, this Sample, client is also limited according to the quantity of URL to Portal server request certification page, and Portal server may be each Client normally provides service.
However, for example being mounted with virus applications program if client is poisoned, can be sent by different ports to AC a large amount of Request certification page HTTP/HTTPS message, correspondingly, client can receive AC feedback carry Portal clothes Be engaged in device URL a large amount of HTTP/HTTPS messages, the URL client carried according to each HTTP/HTTPS message can be to Portal server initiates primary request, in this way, client can initiate a large amount of request to Portal server, causes to occupy The resource of Portal server, and then influence Portal server and service is normally provided.
Summary of the invention
The embodiment of the present application is designed to provide a kind of message processing method and device, to solve client to Portal Server, which initiates a large amount of request, leads to the excess resource for occupying Portal server, and then influences Portal server and normally mention The problem of for servicing.Specific technical solution is as follows:
In a first aspect, the embodiment of the present application provides a kind of message processing method, it is applied to AC, which comprises
The request message for requesting transmission control protocol TCP to connect is received, and obtains the source address of the request message;
It inquires in preset dynamic attacks parent name list with the presence or absence of the address with the source address matches, wherein described Record has the attack address having confirmed that in dynamic attacks parent name list, and the attack address is connected based on the TCP between the AC Connect what quantity was confirmed not less than preset quantity threshold value;
If it exists, then cancel and TCP connection is established based on the request message.
Second aspect, the embodiment of the present application provide a kind of message process device, are applied to AC, and described device includes:
Receiving module, for receiving the request message for requesting TCP connection, and with obtaining the source of the request message Location;
First enquiry module whether there is and the source address matches in preset dynamic attacks parent name list for inquiring Address, wherein record has an attack address having confirmed that in the dynamic attacks parent name list, and the attack address is to be based on and institute State what the TCP connection quantity between AC was confirmed not less than preset quantity threshold value;
Cancel module, in the presence of being for the query result when first enquiry module, then cancels and be based on the request Message establishes TCP connection.
The third aspect, the embodiment of the present application provide a kind of AC, including processor and machine readable storage medium, the machine Device readable storage medium storing program for executing is stored with the machine-executable instruction that can be executed by the processor, and the processor is by the machine Executable instruction promotes: realizing any of the above-described message processing method step.
Fourth aspect, the embodiment of the present application provide a kind of machine readable storage medium, are stored with machine-executable instruction, When being called and being executed by processor, the machine-executable instruction promotes the processor: realizing any of the above-described report Literary process method step.
In technical solution provided by the embodiments of the present application, the request message for requesting TCP connection, and acquisition request are received The source address of message;It inquires in preset dynamic attacks parent name list with the presence or absence of the address with source address matches, and if it exists, then Cancel and TCP connection is established based on the request message.By technical solution provided by the embodiments of the present application, record is stored in AC The dynamic attacks parent name list of address is attacked, and the attack address recorded in dynamic attacks parent name list is to be based on TCP connection quantity not Confirm less than preset quantity threshold value.When there is address with the source address matches of request message in dynamic attacks parent name list When, it can think that the source address for attack address, is cancelled and establishes TCP connection based on the request message.In this way, limiting work The quantity of TCP connection is established for the source address and AC of attack address to limit after the quantity limitation of TCP connection is even reduced Client requests the HTTP/HTTPS message amount of certification page to AC, so that client gets the URL of Portal server Quantity reduce, further limit client to Portal server initiate request quantity.Portal server processing The number of requests of client is reduced, and is occupied resource and is reduced, so that Portal server can provide normal service.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of application for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 is a kind of flow chart of message processing method provided by the embodiments of the present application;
Fig. 2 is another flow chart of message processing method provided by the embodiments of the present application;
Fig. 3 is a kind of structural schematic diagram of message process device provided by the embodiments of the present application;
Fig. 4 is a kind of structural schematic diagram of AC provided by the embodiments of the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall in the protection scope of this application.
It initiates largely to request to cause to occupy the excessive of Portal server to solve client to Portal server Resource, and then the problem of Portal server normally provides service is influenced, the embodiment of the present application provides a kind of Message processing side Method and device are applied to AC, wherein a kind of message processing method provided by the embodiments of the present application includes:
Receive the request message for requesting TCP connection, and the source address of acquisition request message;
It inquires in preset dynamic attacks parent name list with the presence or absence of the address with source address matches, wherein dynamic attacks Record has the attack address having confirmed that in parent name list, and attack address is based on the TCP connection quantity between AC not less than default What amount threshold was confirmed;
If it exists, then cancel and TCP connection is established based on request message.
In technical solution provided by the embodiments of the present application, the request message for requesting TCP connection, and acquisition request are received The source address of message;It inquires in preset dynamic attacks parent name list with the presence or absence of the address with source address matches, and if it exists, then Cancel and TCP connection is established based on the request message.By technical solution provided by the embodiments of the present application, record is stored in AC The dynamic attacks parent name list of address is attacked, and the attack address recorded in dynamic attacks parent name list is to be based on TCP connection quantity not Confirm less than preset quantity threshold value.When there is address with the source address matches of request message in dynamic attacks parent name list When, it can think that the source address for attack address, is cancelled and establishes TCP connection based on the request message.In this way, limiting work The quantity of TCP connection is established for the source address and AC of attack address to limit after the quantity limitation of TCP connection is even reduced Client requests the HTTP/HTTPS message amount of certification page to AC, so that client gets the URL of Portal server Quantity reduce, further limit client to Portal server initiate request quantity.Portal server processing The number of requests of client is reduced, and is occupied resource and is reduced, so that Portal server can provide normal service.
Message processing method provided by the embodiments of the present application is introduced first below.Provided by the embodiments of the present application one Kind message processing method, is applied to AC, as shown in Figure 1, the message processing method includes the following steps.
S101 receives the request message for requesting TCP connection, and the source address of acquisition request message.
The foundation of TCP connection is based on three-way handshake, and the terminal that TCP connection is established in request when shaking hands for the first time is sent to AC SYN (Synchronize Sequence Numbers, synchronizing sequence number) message.Based on this, it is believed that AC is received to be asked Seeking message is SYN message.
S102 is inquired in preset dynamic attacks parent name list with the presence or absence of the address with source address matches.If so, holding Row step S103.
Wherein, record has the attack address having confirmed that in dynamic attacks parent name list, and attack address is based between AC What TCP connection quantity was confirmed not less than preset quantity threshold value.Dynamic attacks parent name list is meeting for the attack address recorded The list that release processing can be carried out when preset condition, the attack address by release processing are deleted from the list of dynamic attack source It removes, wherein preset condition can be customized setting, for example, preset condition can be with deletion that user issues instruction, it can be with It is preset duration, when the duration that address is added to dynamic attacks parent name list reaches the preset duration, then it represents that the address meets Preset condition can delete the address from the list of dynamic attack source.
That is, for any address, when there are the TCP connection quantity between the address and AC not less than default The case where amount threshold, which can be determined as attacking address by AC, and the address is added in dynamic attacks parent name list.
It for a terminal, may include multiple ports, a TCP can be established with AC by each port and connected It connects.In this way, at any one time, the quantity of the TCP connection of terminal and AC foundation can be one or more.
Wherein, preset quantity threshold value can be customized setting.For example, preset quantity threshold value is 10, if terminal A and AC Between TCP connection quantity be 12, and AC gets the TCP connection quantity, can determine the TCP between terminal A and AC at this time It connects quantity and is greater than preset quantity threshold value, then can be stored in dynamic attacks parent name list for the address of terminal A as attack address In.
If inquiring the address with source address matches in dynamic attacks parent name Dan Zhongwei, it can determine that the source address is non- Address is attacked, then AC can continue through second handshake with the source address and third time shakes hands and establishes TCP connection.
S103 cancels and establishes TCP connection based on request message.
If being inquired in dynamic attacks parent name list in the presence of the address with source address matches, it can determine that the source address is Address is attacked, then AC, which can cancel, establishes TCP connection based on request message and the source address, and the request message is abandoned.
It, can be with if inquiring the address with source address matches in dynamic attacks parent name Dan Zhongwei in a kind of embodiment Determine the TCP connection quantity between source address and AC.
In a kind of implementation, the mark for indicating the TCP connection quantity between source address and AC is carried in request message, When AC receives request message, and after getting mark in request message, it can determine that the TCP between source address and AC connects Connect quantity.
For example, request message is SYN message, sequence number Seq is carried in every SYN message, sequence number Seq can be used TCP connection quantity between expression source address and AC.If AC gets sequence number Seq from received SYN message 5, then AC can determine that the TCP connection quantity between source address and AC is 5.
After determining the TCP connection quantity between source address and AC, judge whether identified TCP connection quantity is not small In preset quantity threshold value.
Wherein, set preset quantity threshold value can be for institute's source address, that is to say, that each source address Corresponding preset quantity threshold value is identical.In addition, set preset quantity threshold value can also be only for a source address, That is, the corresponding source address of preset quantity threshold value, the corresponding preset quantity threshold value of each source address can be not phase With.
For example, the corresponding preset quantity threshold value of source address 1 is 5, then it represents that the TCP connection number between the source address 1 and AC Amount is compared with 5.The corresponding preset quantity threshold value of source address 2 is 10, then it represents that the TCP connection between the source address 2 and AC Quantity is compared with 10.
Wherein, for the preset quantity threshold value, it can be the upper limit value of the TCP connection quantity of AC setting.That is, source TCP connection quantity maximum between address and AC can only achieve the preset quantity threshold value, when the TCP connection between source address and AC When quantity reaches the preset quantity threshold value, TCP connection will not be resettled between the source address and AC.It can not also be TCP connection The upper limit value of quantity, and only as judge source address whether be attack address standard.In this case, between source address and AC TCP connection quantity can be more than preset quantity threshold value.
If it is judged that identified TCP connection quantity is not less than preset quantity threshold value, then the request message can be abandoned, And it is added to source address as attack address in dynamic attacks parent name list.If it is determined that identified TCP connection quantity is less than Preset quantity threshold value, then AC can continue through second handshake with source address and third time shakes hands and establishes TCP connection.
In a kind of embodiment, if it is judged that identified TCP connection quantity is not less than preset quantity threshold value, then, Abandoning request message, and using source address as attacking before address is added to the step in dynamic attacks parent name list, it can be with Include the following steps.
To judge identified TCP connection quantity not less than preset quantity threshold value as the first preset duration of starting point It is interior, detect whether the TCP connection quantity between source address and AC is not less than preset quantity threshold value always.
Wherein, the first preset duration can be customized setting.For example, TCP connection quantity determined by judging is not Time less than preset quantity threshold value is 9 points, and the first preset duration is 1 hour, then to judge identified TCP connection number Amount refers to not less than the first preset duration that preset quantity threshold value is starting point: the period from 9 points to 10 point.
For each TCP connection, after transferring HTTP/HTTPS message, which be will disconnect.Based on this, TCP connection quantity between source address and AC can change.In the first preset duration real-time detection source address and AC it Between TCP connection quantity whether always be not less than preset quantity threshold value.
If the TCP connection quantity between the first preset duration inner source address and AC is not less than preset quantity threshold value always, It may be considered that the source address, which has sent a large amount of request to AC, establishes the message of TCP connection, and send out in a period of time The source address of a large amount of messages is sent to may be considered attack address.Therefore, can execute discarding request message, and using source address as Attack address is added to the step of dynamic attacks parent name list.
In a kind of embodiment, for the attack address recorded in dynamic attacks parent name list, it can change.In addition to In dynamic attacks parent name list other than addition attack address, when the attack address recorded in dynamic attacks parent name list meets preset condition When, the attack address for meeting preset condition can be deleted from the list of dynamic attack source.Wherein, preset condition, which can be, makes by oneself Justice setting.
In a kind of implementation, after source address is added to dynamic attacks parent name list as attack address, with will At the time of source address is added to dynamic attacks parent name list for the second preset duration of starting point after, by source address from dynamic attack source It is deleted in list.
Wherein, the second preset duration can be customized setting.For example, source address is added to dynamic attacks parent name list At the time of be 12 points, the second preset duration be 1 hour, then to be at the time of source address is added to dynamic attacks parent name list Second preset duration of point refers to: the period from 12 points to 13 point.
Source address in the list of dynamic attack source after deleting, it may be considered that the source address is non-attack address, if AC The request message of the request TCP connection of source address transmission is received again, and AC can establish TCP connection with the source address.
In a kind of embodiment, static attack parent name list is also stored in AC, which is applied alone adds in record The number added in dynamic attacks parent name list reaches the attack address of preset times threshold value.Static attack parent name list is recorded The list that attack address cannot delete by other means in addition to the mode that user deletes manually.
Wherein, preset times threshold value can be customized setting.For the attack that is recorded in static attack parent name list Location, user can delete manually.
After AC receives request message and gets the source address of request message, it can also inquire in static attack source It whether there is the source address in list;If it exists, then the source address can be determined as attacking address, and cancelled based on request report Text establishes TCP connection.
In a kind of embodiment, AC can recorde each source address and be added to the number of dynamic attacks parent name list and carry out tired Add.After judging that source address is not present in dynamic attacks parent name list, the source address can be obtained from the number recorded The number being added in dynamic attacks parent name list, and judge whether acquired number reaches preset times threshold value.
If acquired number reaches preset times threshold value, which can be added to static attack parent name list In.In this way, when AC receives the request message of the request TCP connection of source address transmission again, because in static attack parent name list Middle record has the source address, and AC, which can cancel, establishes TCP connection based on the request message, and the request message is abandoned.If institute The number of acquisition is not up to preset times threshold value, then does not add the source address into static attack parent name list.
For example, preset times threshold value is 3, after AC receives the request message of source address 11.2.1.25 transmission, AC is from institute It determines that 11.2.1.25 is added to the number in dynamic attacks parent name list in the number of record, if identified number is 3 times, reaches To preset times threshold value, then 11.2.1.25 is added in static attack parent name list.In this way, subsequent receive 11.2.1.25 again When the request message of transmission, it can cancel and TCP connection is established based on the request message, and abandon the request message.
In addition, the source address recorded can be added after source address is added to static attack parent name list by AC Number into dynamic attacks parent name list is reset.In this way, after user deletes the source address from static attack parent name list, AC It can from 0 start recording, the source address be added to the number in dynamic attacks parent name list again.
In technical solution provided by the embodiments of the present application, the request message for requesting TCP connection, and acquisition request are received The source address of message;It inquires in preset dynamic attacks parent name list with the presence or absence of the address with source address matches, and if it exists, then Cancel and TCP connection is established based on the request message.By technical solution provided by the embodiments of the present application, record is stored in AC The dynamic attacks parent name list of address is attacked, and the attack address recorded in dynamic attacks parent name list is to be based on TCP connection quantity not Confirm less than preset quantity threshold value.When there is address with the source address matches of request message in dynamic attacks parent name list When, it can think that the source address for attack address, is cancelled and establishes TCP connection based on the request message.In this way, limiting work The quantity of TCP connection is established for the source address and AC of attack address to limit after the quantity limitation of TCP connection is even reduced Client requests the HTTP/HTTPS message amount of certification page to AC, so that client gets the URL of Portal server Quantity reduce, further limit client to Portal server initiate request quantity.Portal server processing The number of requests of client is reduced, and is occupied resource and is reduced, so that Portal server can provide normal service.
The embodiment of the present application also provides a kind of message processing method, as shown in Fig. 2, the message processing method includes following step Suddenly.
S201 receives the request message for requesting TCP connection, and the source address of acquisition request message.
Terminal establishes TCP connection to AC request, and when shaking hands for the first time, terminal sends SYN message (Seq=9) to AC, should The address 11.1.1.25 of the terminal is carried in SYN message, i.e. the source address of SYN message is 11.1.1.25.AC receives SYN report Wen Hou can obtain source address 11.1.1.25 from SYN message.
S202, inquiry is with the presence or absence of the ground with source address matches in dynamic attacks parent name list and in static attack parent name list Location.If so, step S203 is executed, if not, executing step S204.
AC is after obtaining source address 11.1.1.25 in SYN message, in dynamic attacks parent name list and static attack source Inquiry whether there is and the matched address 11.1.1.25 in list.
S203 cancels and establishes TCP connection based on request message.
If inquiring has 11.1.1.25 in dynamic attacks parent name list, or in static attack parent name Dan Zhongyou 11.1.1.25, or dynamic attacks parent name list and static attack parent name Dan Zhongjun have 11.1.1.25, it may be considered that 11.1.1.25 it is attack address, then cancels and TCP connection is established based on SYN message.
S204 determines the TCP connection quantity between source address and AC, and whether not to judge identified TCP connection quantity Less than preset quantity threshold value.If so, executing step S205.
If dynamic attacks parent name list and static attack parent name Dan Zhongjun do not record with the matched address 11.1.1.25, According to the Seq obtained from SYN message, it can determine that the TCP connection quantity between 11.1.1.25 and AC is 9.Work as preset quantity When threshold value is 9, then it may determine that the TCP connection quantity between 11.1.1.25 and AC is equal to preset quantity threshold value.
S205, to judge that identified TCP connection quantity is preset not less than preset quantity threshold value as the first of starting point In duration, detect whether the TCP connection quantity between source address and AC is not less than preset quantity threshold value always.If so, executing Step S206.
When judging the TCP connection quantity between 11.1.1.25 and AC equal to the time of preset quantity threshold value is 9, First preset duration is 1 hour, then within 9 points to 10 points of period, detects the TCP connection between 11.1.1.25 and AC Whether quantity is not less than 9 always.
S206 abandons request message, and is added to dynamic attacks parent name list for source address as attack address.
If the TCP connection quantity between 11.1.1.25 and AC is not less than 9 always, then within 9 points to 10 points of period Dynamic attacks parent name list can be added to by SYN packet loss, and using 11.1.1.25 as attack address.
It is 10 points at the time of 11.1.1.25 is added to dynamic attacks parent name list as attack address, the second preset duration It is 2 hours, then deletes 11.1.1.25 from the list of dynamic attack source at 12.
Whether S207, the number for judging that source address is added in dynamic attacks parent name list reach preset times threshold value.If It is to execute step S208.
Preset times threshold value is 3.It is above-mentioned 10 points by 11.1.1.25 be added to dynamic attacks parent name list be for the first time, 11.1.1.25 is added into dynamic attacks parent name list again at subsequent 13, and 11.1.1.25 third time is added at 20 To dynamic attacks parent name list.Preset times threshold value is had reached when third time is added.
Source address is added to static attack parent name list by S208.
At 20,11.1.1.25 third time is added into dynamic attacks parent name list, has reached preset times threshold value at this time, Then 11.1.1.25 is added in static attack parent name list.
Corresponding to above-mentioned message processing method embodiment, the embodiment of the present application provides a kind of message process device, application In AC, as shown in figure 3, the message process device includes:
Receiving module 310, for receiving the request message for requesting TCP connection, and the source address of acquisition request message;
First enquiry module 320 whether there is and source address matches for inquiring in preset dynamic attacks parent name list Address, wherein record has an attack address having confirmed that in dynamic attacks parent name list, and attack address is based between AC What TCP connection quantity was confirmed not less than preset quantity threshold value;
Cancel module 330, in the presence of being for the query result when the first enquiry module, then cancels and being built based on request message Vertical TCP connection.
In a kind of embodiment, which can also include:
Determining module, for determining source address when the address with source address matches is not present in dynamic attacks parent name list TCP connection quantity between AC;
First judgment module, for judging whether identified TCP connection quantity is not less than preset quantity threshold value;
First adding module, for abandoning request message, and by source when the judging result of first judgment module, which is, is Location is added to dynamic attacks parent name list as attack address.
In a kind of embodiment, which can also include:
Detection module, for to judge identified TCP connection quantity not less than preset quantity threshold value as starting point In first preset duration, detect whether the TCP connection quantity between source address and AC is not less than preset quantity threshold value always;If It is that the first adding module of triggering abandons request message for executing, and is added to dynamic attacks for source address as attack address The step of parent name list.
In a kind of embodiment, which can also include:
Removing module, at the time of the source address is added to the dynamic attacks parent name list as the of starting point After two preset durations, the source address is deleted from the dynamic attacks parent name list.
In a kind of embodiment, the AC is also stored with static attack parent name list, and the static attack parent name is applied alone in note Record the attack address that the number being added in the dynamic attacks parent name list reaches preset times threshold value;The message process device is also May include:
Second enquiry module whether there is source address for inquiring in static attack parent name list;
The cancellation module 330 is also used in the presence of the query result of the second enquiry module is, then is cancelled based on request Message establishes TCP connection.
In a kind of embodiment, which can also include:
Second judgment module, for it is dynamic to judge that source address is added to when source address is not present in static attack parent name list Whether the number in the list of state attack source reaches preset times threshold value;
Second adding module, for source address being added to static state and is attacked when the judging result of the second judgment module, which is, being Parent name list is hit, is based on being somebody's turn to do so that AC cancels when receiving the request message that the attack address in static attack parent name list is sent again Request message establishes TCP connection.
In technical solution provided by the embodiments of the present application, the request message for requesting TCP connection, and acquisition request are received The source address of message;It inquires in preset dynamic attacks parent name list with the presence or absence of the address with source address matches, and if it exists, then Cancel and TCP connection is established based on the request message.By technical solution provided by the embodiments of the present application, record is stored in AC The dynamic attacks parent name list of address is attacked, and the attack address recorded in dynamic attacks parent name list is to be based on TCP connection quantity not Confirm less than preset quantity threshold value.When there is address with the source address matches of request message in dynamic attacks parent name list When, it can think that the source address for attack address, is cancelled and establishes TCP connection based on the request message.In this way, limiting work The quantity of TCP connection is established for the source address and AC of attack address to limit after the quantity limitation of TCP connection is even reduced Client requests the HTTP/HTTPS message amount of certification page to AC, so that client gets the URL of Portal server Quantity reduce, further limit client to Portal server initiate request quantity.Portal server processing The number of requests of client is reduced, and is occupied resource and is reduced, so that Portal server can provide normal service.
The embodiment of the present application also provides a kind of AC, as shown in figure 4, including processor 410 and machine readable storage medium 420, machine readable storage medium 420 is stored with the machine-executable instruction that can be executed by processor 410.
In addition, as shown in figure 4, AC can also include: communication interface 430 and communication bus 440;Wherein, processor 410, Machine readable storage medium 420, communication interface 430 complete mutual communication by communication bus 440, and communication interface 430 is used Communication between above-mentioned AC and other equipment.
Processor 410 promotes to execute the embodiment of any of the above-described kind of message processing method, wherein message processing method packet It includes:
Receive the request message for requesting TCP connection, and the source address of acquisition request message;
It inquires in preset dynamic attacks parent name list with the presence or absence of the address with source address matches, wherein dynamic attacks Record has the attack address having confirmed that in parent name list, and attack address is based on the TCP connection quantity between AC not less than default What amount threshold was confirmed;
If it exists, then cancel and TCP connection is established based on request message.
In technical solution provided by the embodiments of the present application, the request message for requesting TCP connection, and acquisition request are received The source address of message;It inquires in preset dynamic attacks parent name list with the presence or absence of the address with source address matches, and if it exists, then Cancel and TCP connection is established based on the request message.By technical solution provided by the embodiments of the present application, record is stored in AC The dynamic attacks parent name list of address is attacked, and the attack address recorded in dynamic attacks parent name list is to be based on TCP connection quantity not Confirm less than preset quantity threshold value.When there is address with the source address matches of request message in dynamic attacks parent name list When, it can think that the source address for attack address, is cancelled and establishes TCP connection based on the request message.In this way, limiting work The quantity of TCP connection is established for the source address and AC of attack address to limit after the quantity limitation of TCP connection is even reduced Client requests the HTTP/HTTPS message amount of certification page to AC, so that client gets the URL of Portal server Quantity reduce, further limit client to Portal server initiate request quantity.Portal server processing The number of requests of client is reduced, and is occupied resource and is reduced, so that Portal server can provide normal service.
Above-mentioned communication bus 440 can be PCI, and (Peripheral Component Interconnect, external components are mutual Even standard) bus or EISA (Extended Industry Standard Architecture, expanding the industrial standard structure) be total Line etc..The communication bus 440 can be divided into address bus, data/address bus, control bus etc..For convenient for indicating, only with one in Fig. 4 Bar thick line indicates, it is not intended that an only bus or a type of bus.
Machine readable storage medium 420 may include RAM (Random Access Memory, random access memory), It also may include NVM (Non-Volatile Memory, nonvolatile memory), for example, at least a magnetic disk storage.Separately Outside, machine readable storage medium 420 can also be that at least one is located remotely from the storage device of aforementioned processor.
Above-mentioned processor 410 can be general processor, including CPU (Central Processing Unit, centre Manage device), NP (Network Processor, network processing unit) etc.;It can also be DSP (Digital Signal Processing, digital signal processor), ASIC (Application Specific Integrated Circuit, it is dedicated Integrated circuit), FPGA (Field-Programmable Gate Array, field programmable gate array) or other programmable patrol Collect device, discrete gate or transistor logic, discrete hardware components.
Corresponding to the embodiment of above-mentioned message processing method, the embodiment of the present application also provides a kind of machine readable storage Jie Matter is stored with machine-executable instruction, and when being called and being executed by processor, machine-executable instruction promotes processor to realize State message processing method.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.At message For managing device, AC and machine readable storage medium embodiment, since it is substantially similar to message processing method embodiment, institute To be described relatively simple, the relevent part can refer to the partial explaination of embodiments of method.
The foregoing is merely the preferred embodiments of the application, are not intended to limit the protection scope of the application.It is all Any modification, equivalent replacement, improvement and so within spirit herein and principle are all contained in the protection scope of the application It is interior.

Claims (10)

1. a kind of message processing method, which is characterized in that be applied to wireless controller AC, which comprises
The request message for requesting transmission control protocol TCP to connect is received, and obtains the source address of the request message;
It inquires in preset dynamic attacks parent name list with the presence or absence of the address with the source address matches, wherein the dynamic Record has the attack address having confirmed that in the list of attack source, and the attack address is based on the TCP connection number between the AC What amount was confirmed not less than preset quantity threshold value;
If it exists, then cancel and TCP connection is established based on the request message.
2. the method according to claim 1, wherein the method also includes:
If determining the source address and the AC there is no the address with the source address matches in the dynamic attacks parent name list Between TCP connection quantity;
Whether TCP connection quantity determined by judging is not less than the preset quantity threshold value;
If so, abandoning the request message, and the dynamic attacks parent name is added to using the source address as attack address It is single.
3. according to the method described in claim 2, it is characterized in that, abandon the request message, and using the source address as Attack address is added to before the step of the dynamic attacks parent name list, further includes:
To judge identified TCP connection quantity not less than in the first preset duration of the preset quantity threshold value as starting point The TCP connection quantity between the source address and the AC is detected whether always not less than the preset quantity threshold value;
If so, executing the discarding request message, and the dynamic is added to using the source address as attack address The step of attack source list.
4. according to the described in any item methods of claim 2-3, which is characterized in that described using the source address as attack address It is added to after the step of the dynamic attacks parent name list, further includes:
At the time of the source address is added to the dynamic attacks parent name list as the second preset duration of starting point after, will The source address is deleted from the dynamic attacks parent name list.
5. described quiet according to the method described in claim 4, it is characterized in that, the AC is also stored with static attack parent name list State attack source list is used to record the attack that the number that is added in the dynamic attacks parent name list reaches preset times threshold value Location;The method also includes:
Inquiry whether there is the source address in the static attack parent name list;
If it exists, then cancel and TCP connection is established based on the request message.
6. according to the method described in claim 5, it is characterized in that, the method also includes:
If the source address is not present in the static attack parent name list, judge that the source address is added to the dynamic attacks source Whether the number in list reaches the preset times threshold value;
If so, the source address is added to the static attack parent name list, so that AC receives the static attack again Cancel when the request message that the attack address in parent name list is sent and TCP connection is established based on the request message.
7. a kind of message process device, which is characterized in that be applied to AC, described device includes:
Receiving module for receiving the request message for requesting TCP connection, and obtains the source address of the request message;
First enquiry module, for inquiring in preset dynamic attacks parent name list with the presence or absence of the ground with the source address matches Location, wherein record has the attack address having confirmed that in the dynamic attacks parent name list, and the attack address is to be based on and the AC Between TCP connection quantity confirmed not less than preset quantity threshold value;
Cancel module, in the presence of being for the query result when first enquiry module, then cancels and be based on the request message Establish TCP connection.
8. device according to claim 7, which is characterized in that described device further include:
Determining module, for determining institute when the address with the source address matches is not present in the dynamic attacks parent name list State the TCP connection quantity between source address and the AC;
First judgment module, for judging whether identified TCP connection quantity is not less than the preset quantity threshold value;
First adding module, for when the judging result of the first judgment module, which is, is, abandoning the request message, and will The source address is added to the dynamic attacks parent name list as attack address.
9. a kind of AC, which is characterized in that including processor and machine readable storage medium, the machine readable storage medium storage There is the machine-executable instruction that can be executed by the processor, the processor is promoted by the machine-executable instruction: real The existing any method and step of claim 1-6.
10. a kind of machine readable storage medium, which is characterized in that be stored with machine-executable instruction, by processor call and When execution, the machine-executable instruction promotes the processor: realizing any method and step of claim 1-6.
CN201910040932.1A 2019-01-16 2019-01-16 A kind of message processing method and device Pending CN109561109A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910040932.1A CN109561109A (en) 2019-01-16 2019-01-16 A kind of message processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910040932.1A CN109561109A (en) 2019-01-16 2019-01-16 A kind of message processing method and device

Publications (1)

Publication Number Publication Date
CN109561109A true CN109561109A (en) 2019-04-02

Family

ID=65873120

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910040932.1A Pending CN109561109A (en) 2019-01-16 2019-01-16 A kind of message processing method and device

Country Status (1)

Country Link
CN (1) CN109561109A (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1874303A (en) * 2006-03-04 2006-12-06 华为技术有限公司 Method for implementing black sheet
US20070118894A1 (en) * 2005-11-23 2007-05-24 Nextone Communications, Inc. Method for responding to denial of service attacks at the session layer or above
CN101188612A (en) * 2007-12-10 2008-05-28 中兴通讯股份有限公司 A blacklist real time management method and device
CN101227467A (en) * 2008-01-08 2008-07-23 中兴通讯股份有限公司 Apparatus and method for managing black list
CN101296182A (en) * 2008-05-20 2008-10-29 华为技术有限公司 Data transmission control method and data transmission control device
CN101510908A (en) * 2009-03-12 2009-08-19 中兴通讯股份有限公司 Method and apparatus for implementing terminal calling firewall
CN102143143A (en) * 2010-10-15 2011-08-03 华为数字技术有限公司 Method and device for defending network attack, and router
CN103051633A (en) * 2012-12-25 2013-04-17 华为技术有限公司 Attack prevention method and equipment
CN103391546A (en) * 2013-07-12 2013-11-13 杭州华三通信技术有限公司 Wireless attack detection and defense device and method thereof
CN104348816A (en) * 2013-08-07 2015-02-11 华为数字技术(苏州)有限公司 Method for protecting Cookie information and front gateway of Web server
CN108901025A (en) * 2018-07-10 2018-11-27 迈普通信技术股份有限公司 A kind of rogue access point counter method and counter equipment

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070118894A1 (en) * 2005-11-23 2007-05-24 Nextone Communications, Inc. Method for responding to denial of service attacks at the session layer or above
CN1874303A (en) * 2006-03-04 2006-12-06 华为技术有限公司 Method for implementing black sheet
CN101188612A (en) * 2007-12-10 2008-05-28 中兴通讯股份有限公司 A blacklist real time management method and device
CN101227467A (en) * 2008-01-08 2008-07-23 中兴通讯股份有限公司 Apparatus and method for managing black list
CN101296182A (en) * 2008-05-20 2008-10-29 华为技术有限公司 Data transmission control method and data transmission control device
CN101510908A (en) * 2009-03-12 2009-08-19 中兴通讯股份有限公司 Method and apparatus for implementing terminal calling firewall
CN102143143A (en) * 2010-10-15 2011-08-03 华为数字技术有限公司 Method and device for defending network attack, and router
CN103051633A (en) * 2012-12-25 2013-04-17 华为技术有限公司 Attack prevention method and equipment
CN103391546A (en) * 2013-07-12 2013-11-13 杭州华三通信技术有限公司 Wireless attack detection and defense device and method thereof
CN104348816A (en) * 2013-08-07 2015-02-11 华为数字技术(苏州)有限公司 Method for protecting Cookie information and front gateway of Web server
CN108901025A (en) * 2018-07-10 2018-11-27 迈普通信技术股份有限公司 A kind of rogue access point counter method and counter equipment

Similar Documents

Publication Publication Date Title
US7418486B2 (en) Automatic discovery and configuration of external network devices
US10218717B1 (en) System and method for detecting a malicious activity in a computing environment
WO2017004947A1 (en) Method and apparatus for preventing domain name hijacking
CN108028835B (en) Automatic configuration server and server execution method
CN110855666B (en) Gateway equipment activation method, device, equipment and medium based on end cloud cooperation
CN108471369B (en) Network dialing method, device and storage medium
WO2014185394A1 (en) Relay device and control method for relay device
JP2009239525A (en) Filtering device, filtering method, and filtering program
WO2017206943A1 (en) Optical network terminal and operating method thereof, communication system, and data storage medium
US20210112093A1 (en) Measuring address resolution protocol spoofing success
CN107294910B (en) Login method and server
JP2017084296A (en) Detection method and detection system
US20190014081A1 (en) Apparatus for supporting communication between separate networks and method for the same
CN108737421B (en) Method, system, device and storage medium for discovering potential threats in network
CN102761535A (en) Virus monitoring method and equipment
CN109618004A (en) A kind of message forwarding method and device
JP2019152912A (en) Unauthorized communication handling system and method
EP3349138B1 (en) Communication destination determination device, communication destination determination method, and recording medium
CN108471427B (en) Method and device for defending attack
CN109561109A (en) A kind of message processing method and device
CN106453119A (en) Authentication control method and device
CN110971599A (en) Vulnerability scanning method and device
JP6870386B2 (en) Malware unauthorized communication countermeasure system and method
US20160337394A1 (en) Newborn domain screening of electronic mail messages
EP2677715A1 (en) A method and a server for evaluating a request for access to content from a server in a computer network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190402